diff --git a/packages/security_detection_engine/kibana/security_rule/rule-000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json b/packages/security_detection_engine/kibana/security_rule/rule-000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json index 032a08c7c23..7663c206b97 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json @@ -1,37 +1,41 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Modify an Okta Policy Rule", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:policy.rule.update", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 21, - "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", - "severity": "low", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Policy Rule", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:policy.rule.update", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 21, + "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-00140285-b827-4aee-aa09-8113f58a08f3.json b/packages/security_detection_engine/kibana/security_rule/rule-00140285-b827-4aee-aa09-8113f58a08f3.json index 2d34129fd0e..f3be43fc6dd 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-00140285-b827-4aee-aa09-8113f58a08f3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-00140285-b827-4aee-aa09-8113f58a08f3.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Credential Access via Windows Utilities", - "query": "process where event.type in (\"start\", \"process_started\") and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable : \"C:\\\\Program Files*\\\\Cisco Systems\\\\*.exe\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable : \"C:\\\\Program Files*\\\\Steam\\\\*.exe\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n", - "references": [ - "https://lolbas-project.github.io/" - ], - "risk_score": 73, - "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via Windows Utilities", + "query": "process where event.type in (\"start\", \"process_started\") and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable : \"C:\\\\Program Files*\\\\Cisco Systems\\\\*.exe\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable : \"C:\\\\Program Files*\\\\Steam\\\\*.exe\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n", + "references": [ + "https://lolbas-project.github.io/" + ], + "risk_score": 73, + "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "00140285-b827-4aee-aa09-8113f58a08f3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json b/packages/security_detection_engine/kibana/security_rule/rule-0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json index 78d28a999fa..02e91a6f53f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "System Shells via Services", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)", - "risk_score": 47, - "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "System Shells via Services", + "query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)", + "risk_score": 47, + "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-027ff9ea-85e7-42e3-99d2-bbb7069e02eb.json b/packages/security_detection_engine/kibana/security_rule/rule-027ff9ea-85e7-42e3-99d2-bbb7069e02eb.json index 6fe4f8210d1..9b960fcabbe 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-027ff9ea-85e7-42e3-99d2-bbb7069e02eb.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-027ff9ea-85e7-42e3-99d2-bbb7069e02eb.json @@ -1,59 +1,63 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", - "false_positives": [ - "Developers performing browsers plugin or extension debugging." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "max_signals": 33, - "name": "Potential Cookies Theft via Browser Debugging", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\", \n \"--remote-debugging-targets=*\", \n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", - "references": [ - "https://github.com/defaultnamehere/cookie_crimes", - "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", - "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", - "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e" - ], - "risk_score": 47, - "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Windows", - "macOS", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1539", - "name": "Steal Web Session Cookie", - "reference": "https://attack.mitre.org/techniques/T1539/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", + "false_positives": [ + "Developers performing browsers plugin or extension debugging." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Potential Cookies Theft via Browser Debugging", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\", \n \"--remote-debugging-targets=*\", \n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", + "references": [ + "https://github.com/defaultnamehere/cookie_crimes", + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", + "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e" + ], + "risk_score": 47, + "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Windows", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1539", + "name": "Steal Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1539/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-02ea4563-ec10-4974-b7de-12e65aa4f9b3.json b/packages/security_detection_engine/kibana/security_rule/rule-02ea4563-ec10-4974-b7de-12e65aa4f9b3.json index 9b96c255ea9..d83871fbced 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-02ea4563-ec10-4974-b7de-12e65aa4f9b3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-02ea4563-ec10-4974-b7de-12e65aa4f9b3.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Dumping Account Hashes via Built-In Commands", - "query": "event.category:process and event.type:start and process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")", - "references": [ - "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", - "https://www.unix.com/man-page/osx/8/mkpassdb/" - ], - "risk_score": 73, - "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Dumping Account Hashes via Built-In Commands", + "query": "event.category:process and event.type:start and process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")", + "references": [ + "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", + "https://www.unix.com/man-page/osx/8/mkpassdb/" + ], + "risk_score": 73, + "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-03024bd9-d23f-4ec1-8674-3cf1a21e130b.json b/packages/security_detection_engine/kibana/security_rule/rule-03024bd9-d23f-4ec1-8674-3cf1a21e130b.json index 735d6db9d02..468dc4bc475 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-03024bd9-d23f-4ec1-8674-3cf1a21e130b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-03024bd9-d23f-4ec1-8674-3cf1a21e130b.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.", - "false_positives": [ - "A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps" - ], - "risk_score": 21, - "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.", + "false_positives": [ + "A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps" + ], + "risk_score": 21, + "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-035889c4-2686-4583-a7df-67f89c292f2c.json b/packages/security_detection_engine/kibana/security_rule/rule-035889c4-2686-4583-a7df-67f89c292f2c.json index 3d511124880..89a925ddb7f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-035889c4-2686-4583-a7df-67f89c292f2c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-035889c4-2686-4583-a7df-67f89c292f2c.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period. This may indicate a defense evasion attempt.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "High Number of Process and/or Service Terminations", - "query": "event.category:process and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")", - "risk_score": 47, - "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "threshold": { - "field": [ - "host.id" + "attributes": { + "author": [ + "Elastic" ], - "value": 10 + "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period. This may indicate a defense evasion attempt.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "High Number of Process and/or Service Terminations", + "query": "event.category:process and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")", + "risk_score": 47, + "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "threshold": { + "field": [ + "host.id" + ], + "value": 10 + }, + "type": "threshold", + "version": 2 }, - "type": "threshold", - "version": 2 + "id": "035889c4-2686-4583-a7df-67f89c292f2c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-0415f22a-2336-45fa-ba07-618a5942e22c.json b/packages/security_detection_engine/kibana/security_rule/rule-0415f22a-2336-45fa-ba07-618a5942e22c.json index 09dae39571c..3539119b03c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-0415f22a-2336-45fa-ba07-618a5942e22c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-0415f22a-2336-45fa-ba07-618a5942e22c.json @@ -1,67 +1,71 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", - "false_positives": [ - "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Modification of OpenSSH Binaries", - "query": "event.category:file and event.type:change and process.name:* and (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and not process.executable:/usr/bin/dpkg", - "references": [ - "https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html" - ], - "risk_score": 47, - "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Credential Access", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", + "false_positives": [ + "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of OpenSSH Binaries", + "query": "event.category:file and event.type:change and process.name:* and (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and not process.executable:/usr/bin/dpkg", + "references": [ + "https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html" + ], + "risk_score": 47, + "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Credential Access", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "0415f22a-2336-45fa-ba07-618a5942e22c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-041d4d41-9589-43e2-ba13-5680af75ebc2.json b/packages/security_detection_engine/kibana/security_rule/rule-041d4d41-9589-43e2-ba13-5680af75ebc2.json index 3f68670241b..dd8db1c5ed0 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-041d4d41-9589-43e2-ba13-5680af75ebc2.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-041d4d41-9589-43e2-ba13-5680af75ebc2.json @@ -1,33 +1,37 @@ { - "author": [ - "Elastic" - ], - "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.", - "false_positives": [ - "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential DNS Tunneling via Iodine", - "query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)", - "references": [ - "https://code.kryo.se/iodine/" - ], - "risk_score": 73, - "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.", + "false_positives": [ + "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential DNS Tunneling via Iodine", + "query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)", + "references": [ + "https://code.kryo.se/iodine/" + ], + "risk_score": 73, + "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "041d4d41-9589-43e2-ba13-5680af75ebc2", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-0564fb9d-90b9-4234-a411-82a546dc1343.json b/packages/security_detection_engine/kibana/security_rule/rule-0564fb9d-90b9-4234-a411-82a546dc1343.json index b0c65fafbb6..7b3b89afbc4 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-0564fb9d-90b9-4234-a411-82a546dc1343.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-0564fb9d-90b9-4234-a411-82a546dc1343.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "max_signals": 33, - "name": "Microsoft IIS Service Account Password Dumped", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and \n process.args : \"/list\" and process.args : \"/text*password\"\n", - "references": [ - "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/" - ], - "risk_score": 73, - "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Microsoft IIS Service Account Password Dumped", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and \n process.args : \"/list\" and process.args : \"/text*password\"\n", + "references": [ + "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/" + ], + "risk_score": 73, + "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "0564fb9d-90b9-4234-a411-82a546dc1343", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-05b358de-aa6d-4f6c-89e6-78f74018b43b.json b/packages/security_detection_engine/kibana/security_rule/rule-05b358de-aa6d-4f6c-89e6-78f74018b43b.json index 3062391069f..ab07aeb15a8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-05b358de-aa6d-4f6c-89e6-78f74018b43b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-05b358de-aa6d-4f6c-89e6-78f74018b43b.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Conhost Spawned By Suspicious Parent Process", - "query": "event.category:process and event.type:(start or process_started) and process.name:conhost.exe and process.parent.name:(svchost.exe or lsass.exe or services.exe or smss.exe or winlogon.exe or explorer.exe or dllhost.exe or rundll32.exe or regsvr32.exe or userinit.exe or wininit.exe or spoolsv.exe or wermgr.exe or csrss.exe or ctfmon.exe)", - "references": [ - "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html" - ], - "risk_score": 73, - "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Conhost Spawned By Suspicious Parent Process", + "query": "event.category:process and event.type:(start or process_started) and process.name:conhost.exe and process.parent.name:(svchost.exe or lsass.exe or services.exe or smss.exe or winlogon.exe or explorer.exe or dllhost.exe or rundll32.exe or regsvr32.exe or userinit.exe or wininit.exe or spoolsv.exe or wermgr.exe or csrss.exe or ctfmon.exe)", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html" + ], + "risk_score": 73, + "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-05e5a668-7b51-4a67-93ab-e9af405c9ef3.json b/packages/security_detection_engine/kibana/security_rule/rule-05e5a668-7b51-4a67-93ab-e9af405c9ef3.json index d0371c0e393..362c69de9b1 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-05e5a668-7b51-4a67-93ab-e9af405c9ef3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-05e5a668-7b51-4a67-93ab-e9af405c9ef3.json @@ -1,45 +1,49 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Interactive Terminal Spawned via Perl", - "query": "event.category:process and event.type:(start or process_started) and process.name:perl and process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")", - "risk_score": 73, - "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Interactive Terminal Spawned via Perl", + "query": "event.category:process and event.type:(start or process_started) and process.name:perl and process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")", + "risk_score": 73, + "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-0635c542-1b96-4335-9b47-126582d2c19a.json b/packages/security_detection_engine/kibana/security_rule/rule-0635c542-1b96-4335-9b47-126582d2c19a.json index 8a6e00af020..e4b9156d829 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-0635c542-1b96-4335-9b47-126582d2c19a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-0635c542-1b96-4335-9b47-126582d2c19a.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Discovery of remote system information using built-in commands, which may be used to mover laterally.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote System Discovery Commands", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\")\n", - "risk_score": 21, - "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1018", - "name": "Remote System Discovery", - "reference": "https://attack.mitre.org/techniques/T1018/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Discovery of remote system information using built-in commands, which may be used to mover laterally.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote System Discovery Commands", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\")\n", + "risk_score": 21, + "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "0635c542-1b96-4335-9b47-126582d2c19a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json b/packages/security_detection_engine/kibana/security_rule/rule-06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json index e557bc893f4..d414273def1 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Evasion via Filter Manager", - "query": "event.category:process and event.type:(start or process_started) and process.name:fltMC.exe", - "risk_score": 21, - "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1222", - "name": "File and Directory Permissions Modification", - "reference": "https://attack.mitre.org/techniques/T1222/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Evasion via Filter Manager", + "query": "event.category:process and event.type:(start or process_started) and process.name:fltMC.exe", + "risk_score": 21, + "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-074464f9-f30d-4029-8c03-0ed237fffec7.json b/packages/security_detection_engine/kibana/security_rule/rule-074464f9-f30d-4029-8c03-0ed237fffec7.json index 55d3b5563a0..94015063570 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-074464f9-f30d-4029-8c03-0ed237fffec7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-074464f9-f30d-4029-8c03-0ed237fffec7.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote Desktop Enabled in Windows Firewall", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", - "risk_score": 47, - "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Desktop Enabled in Windows Firewall", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", + "risk_score": 47, + "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "074464f9-f30d-4029-8c03-0ed237fffec7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-080bc66a-5d56-4d1f-8071-817671716db9.json b/packages/security_detection_engine/kibana/security_rule/rule-080bc66a-5d56-4d1f-8071-817671716db9.json index 0b98b27d3ed..eeedb0f9837 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-080bc66a-5d56-4d1f-8071-817671716db9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-080bc66a-5d56-4d1f-8071-817671716db9.json @@ -1,64 +1,68 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Browser Child Process", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and \n process.command_line != null and \n not process.args : \n ( \n \"/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate\", \n \"hw.model\", \n \"IOPlatformExpertDevice\", \n \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n \"--defaults-torrc\", \n \"Chrome.app\", \n \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\", \n \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\", \n \"$DISPLAY\", \n \"GIO_LAUNCHED_DESKTOP_FILE_PID=$$\"\n )\n", - "references": [ - "https://objective-see.com/blog/blog_0x43.html", - "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang" - ], - "risk_score": 73, - "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Initial Access", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Browser Child Process", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and \n process.command_line != null and \n not process.args : \n ( \n \"/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate\", \n \"hw.model\", \n \"IOPlatformExpertDevice\", \n \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n \"--defaults-torrc\", \n \"Chrome.app\", \n \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\", \n \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\", \n \"$DISPLAY\", \n \"GIO_LAUNCHED_DESKTOP_FILE_PID=$$\"\n )\n", + "references": [ + "https://objective-see.com/blog/blog_0x43.html", + "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang" + ], + "risk_score": 73, + "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Initial Access", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] }, - "technique": [ - { - "id": "T1203", - "name": "Exploitation for Client Execution", - "reference": "https://attack.mitre.org/techniques/T1203/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1189", - "name": "Drive-by Compromise", - "reference": "https://attack.mitre.org/techniques/T1189/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1189", + "name": "Drive-by Compromise", + "reference": "https://attack.mitre.org/techniques/T1189/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "080bc66a-5d56-4d1f-8071-817671716db9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-082e3f8c-6f80-485c-91eb-5b112cb79b28.json b/packages/security_detection_engine/kibana/security_rule/rule-082e3f8c-6f80-485c-91eb-5b112cb79b28.json index 70fc24e0c3f..db13d03cbf5 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-082e3f8c-6f80-485c-91eb-5b112cb79b28.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-082e3f8c-6f80-485c-91eb-5b112cb79b28.json @@ -1,57 +1,61 @@ { - "author": [ - "Elastic" - ], - "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.", - "false_positives": [ - "Trusted applications persisting via LaunchAgent" - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Launch Agent Creation or Modification and Immediate Loading", - "query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and \n file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", - "references": [ - "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" - ], - "risk_score": 21, - "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.001", - "name": "Launch Agent", - "reference": "https://attack.mitre.org/techniques/T1543/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.", + "false_positives": [ + "Trusted applications persisting via LaunchAgent" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Launch Agent Creation or Modification and Immediate Loading", + "query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and \n file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "risk_score": 21, + "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.001", + "name": "Launch Agent", + "reference": "https://attack.mitre.org/techniques/T1543/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-083fa162-e790-4d85-9aeb-4fea04188adb.json b/packages/security_detection_engine/kibana/security_rule/rule-083fa162-e790-4d85-9aeb-4fea04188adb.json index 92d95d9ec81..70542f35ca8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-083fa162-e790-4d85-9aeb-4fea04188adb.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-083fa162-e790-4d85-9aeb-4fea04188adb.json @@ -1,80 +1,84 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious Hidden Child Process of Launchd", - "query": "event.category:process and event.type:(start or process_started) and process.name:.* and process.parent.executable:/sbin/launchd", - "references": [ - "https://objective-see.com/blog/blog_0x61.html", - "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", - "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" - ], - "risk_score": 47, - "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Hidden Child Process of Launchd", + "query": "event.category:process and event.type:(start or process_started) and process.name:.* and process.parent.executable:/sbin/launchd", + "references": [ + "https://objective-see.com/blog/blog_0x61.html", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "risk_score": 47, + "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.001", + "name": "Launch Agent", + "reference": "https://attack.mitre.org/techniques/T1543/001/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.001", - "name": "Launch Agent", - "reference": "https://attack.mitre.org/techniques/T1543/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1564", - "name": "Hide Artifacts", - "reference": "https://attack.mitre.org/techniques/T1564/", - "subtechnique": [ - { - "id": "T1564.001", - "name": "Hidden Files and Directories", - "reference": "https://attack.mitre.org/techniques/T1564/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "083fa162-e790-4d85-9aeb-4fea04188adb", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-08d5d7e2-740f-44d8-aeda-e41f4263efaf.json b/packages/security_detection_engine/kibana/security_rule/rule-08d5d7e2-740f-44d8-aeda-e41f4263efaf.json index 25828f9b181..67a0a083a46 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-08d5d7e2-740f-44d8-aeda-e41f4263efaf.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-08d5d7e2-740f-44d8-aeda-e41f4263efaf.json @@ -1,43 +1,47 @@ { - "author": [ - "Elastic" - ], - "description": "TCP Port 8000 is commonly used for development environments of web server software. It generally should not be exposed directly to the Internet. If you are running software like this on the Internet, you should consider placing it behind a reverse proxy.", - "false_positives": [ - "Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "TCP Port 8000 Activity to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:8000 and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 21, - "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "TCP Port 8000 is commonly used for development environments of web server software. It generally should not be exposed directly to the Internet. If you are running software like this on the Internet, you should consider placing it behind a reverse proxy.", + "false_positives": [ + "Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "TCP Port 8000 Activity to the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:8000 and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", + "risk_score": 21, + "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-092b068f-84ac-485d-8a55-7dd9e006715f.json b/packages/security_detection_engine/kibana/security_rule/rule-092b068f-84ac-485d-8a55-7dd9e006715f.json index ea3882c8b6a..00f91d9cdbf 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-092b068f-84ac-485d-8a55-7dd9e006715f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-092b068f-84ac-485d-8a55-7dd9e006715f.json @@ -1,78 +1,82 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Creation of Hidden Launch Agent or Daemon", - "query": "file where event.type != \"deletion\" and\n file.path : \n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", - "references": [ - "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" - ], - "risk_score": 47, - "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation of Hidden Launch Agent or Daemon", + "query": "file where event.type != \"deletion\" and\n file.path : \n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "risk_score": 47, + "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.001", + "name": "Launch Agent", + "reference": "https://attack.mitre.org/techniques/T1543/001/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.001", - "name": "Launch Agent", - "reference": "https://attack.mitre.org/techniques/T1543/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1564", - "name": "Hide Artifacts", - "reference": "https://attack.mitre.org/techniques/T1564/", - "subtechnique": [ - { - "id": "T1564.001", - "name": "Hidden Files and Directories", - "reference": "https://attack.mitre.org/techniques/T1564/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "092b068f-84ac-485d-8a55-7dd9e006715f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-09443c92-46b3-45a4-8f25-383b028b258d.json b/packages/security_detection_engine/kibana/security_rule/rule-09443c92-46b3-45a4-8f25-383b028b258d.json index c440c9baaa6..72e3e6e93de 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-09443c92-46b3-45a4-8f25-383b028b258d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-09443c92-46b3-45a4-8f25-383b028b258d.json @@ -1,43 +1,47 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Process Termination followed by Deletion", - "query": "sequence by host.id with maxspan=5s\n [process where event.type == \"end\" and \n process.code_signature.trusted == false and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\")] by file.path\n", - "risk_score": 47, - "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Termination followed by Deletion", + "query": "sequence by host.id with maxspan=5s\n [process where event.type == \"end\" and \n process.code_signature.trusted == false and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\")] by file.path\n", + "risk_score": 47, + "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "09443c92-46b3-45a4-8f25-383b028b258d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-0a97b20f-4144-49ea-be32-b540ecc445de.json b/packages/security_detection_engine/kibana/security_rule/rule-0a97b20f-4144-49ea-be32-b540ecc445de.json index 93777a3ad46..ab84c4fadd6 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-0a97b20f-4144-49ea-be32-b540ecc445de.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-0a97b20f-4144-49ea-be32-b540ecc445de.json @@ -1,24 +1,28 @@ { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Malware - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)", - "risk_score": 99, - "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", - "severity": "critical", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Malware - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)", + "risk_score": 99, + "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", + "severity": "critical", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 5 + }, + "id": "0a97b20f-4144-49ea-be32-b540ecc445de", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5.json b/packages/security_detection_engine/kibana/security_rule/rule-0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5.json index 6a7deff1098..060673b0ec8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5.json @@ -1,30 +1,34 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", - "false_positives": [ - "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "windows_anomalous_process_creation", - "name": "Anomalous Windows Process Creation", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", + "false_positives": [ + "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "windows_anomalous_process_creation", + "name": "Anomalous Windows Process Creation", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json b/packages/security_detection_engine/kibana/security_rule/rule-0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json index edb52a8e8ec..fd68dd44769 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of the Windows file system utility (fsutil.exe ) to gather information about attached peripheral devices and components connected to a computer system.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Peripheral Device Discovery", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n process.args : \"fsinfo\" and process.args : \"drives\"\n", - "risk_score": 21, - "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1120", - "name": "Peripheral Device Discovery", - "reference": "https://attack.mitre.org/techniques/T1120/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Windows file system utility (fsutil.exe ) to gather information about attached peripheral devices and components connected to a computer system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Peripheral Device Discovery", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n process.args : \"fsinfo\" and process.args : \"drives\"\n", + "risk_score": 21, + "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1120", + "name": "Peripheral Device Discovery", + "reference": "https://attack.mitre.org/techniques/T1120/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-0d69150b-96f8-467c-a86d-a67a3378ce77.json b/packages/security_detection_engine/kibana/security_rule/rule-0d69150b-96f8-467c-a86d-a67a3378ce77.json index 6520e435bea..89f531afaa8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-0d69150b-96f8-467c-a86d-a67a3378ce77.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-0d69150b-96f8-467c-a86d-a67a3378ce77.json @@ -1,33 +1,37 @@ { - "author": [ - "Elastic" - ], - "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", - "false_positives": [ - "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Nping Process Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:nping", - "references": [ - "https://en.wikipedia.org/wiki/Nmap" - ], - "risk_score": 47, - "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", + "false_positives": [ + "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Nping Process Activity", + "query": "event.category:process and event.type:(start or process_started) and process.name:nping", + "references": [ + "https://en.wikipedia.org/wiki/Nmap" + ], + "risk_score": 47, + "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "0d69150b-96f8-467c-a86d-a67a3378ce77", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json b/packages/security_detection_engine/kibana/security_rule/rule-0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json index b8143ab33dd..3820dc89661 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json @@ -1,66 +1,70 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of MS Office applications.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Execution of File Written or Modified by Microsoft Office", - "query": "sequence with maxspan=2h\n [file where event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n", - "risk_score": 21, - "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of MS Office applications.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of File Written or Modified by Microsoft Office", + "query": "sequence with maxspan=2h\n [file where event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n", + "risk_score": 21, + "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - }, - { - "id": "T1566.002", - "name": "Spearphishing Link", - "reference": "https://attack.mitre.org/techniques/T1566/002/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 3 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json b/packages/security_detection_engine/kibana/security_rule/rule-0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json index 3ba671263a5..e15f6613a1a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.", - "false_positives": [ - "Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Service Account Key Creation", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success", - "references": [ - "https://cloud.google.com/iam/docs/service-accounts", - "https://cloud.google.com/iam/docs/creating-managing-service-account-keys" - ], - "risk_score": 21, - "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.", + "false_positives": [ + "Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Service Account Key Creation", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success", + "references": [ + "https://cloud.google.com/iam/docs/service-accounts", + "https://cloud.google.com/iam/docs/creating-managing-service-account-keys" + ], + "risk_score": 21, + "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-0e79980b-4250-4a50-a509-69294c14e84b.json b/packages/security_detection_engine/kibana/security_rule/rule-0e79980b-4250-4a50-a509-69294c14e84b.json index 9b6d9954f64..87fa994b5fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-0e79980b-4250-4a50-a509-69294c14e84b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-0e79980b-4250-4a50-a509-69294c14e84b.json @@ -1,45 +1,49 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "MsBuild Making Network Connections", - "query": "sequence by process.entity_id\n [process where process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", - "risk_score": 47, - "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "eql", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "MsBuild Making Network Connections", + "query": "sequence by process.entity_id\n [process where process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", + "risk_score": 47, + "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "eql", + "version": 7 + }, + "id": "0e79980b-4250-4a50-a509-69294c14e84b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-0f616aee-8161-4120-857e-742366f5eeb3.json b/packages/security_detection_engine/kibana/security_rule/rule-0f616aee-8161-4120-857e-742366f5eeb3.json index aafa6124d57..95b28ec3fda 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-0f616aee-8161-4120-857e-742366f5eeb3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-0f616aee-8161-4120-857e-742366f5eeb3.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PowerShell spawning Cmd", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:powershell.exe and process.name:cmd.exe", - "risk_score": 21, - "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell spawning Cmd", + "query": "event.category:process and event.type:(start or process_started) and process.parent.name:powershell.exe and process.name:cmd.exe", + "risk_score": 21, + "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "0f616aee-8161-4120-857e-742366f5eeb3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-0ff84c42-873d-41a2-a4ed-08d74d352d01.json b/packages/security_detection_engine/kibana/security_rule/rule-0ff84c42-873d-41a2-a4ed-08d74d352d01.json index 3195238cb0d..72b68c4d5bc 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-0ff84c42-873d-41a2-a4ed-08d74d352d01.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-0ff84c42-873d-41a2-a4ed-08d74d352d01.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Privilege Escalation via Root Crontab File Modification", - "query": "event.category:file and not event.type:deletion and file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab", - "references": [ - "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", - "https://www.exploit-db.com/exploits/42146" - ], - "risk_score": 73, - "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.003", - "name": "Cron", - "reference": "https://attack.mitre.org/techniques/T1053/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Privilege Escalation via Root Crontab File Modification", + "query": "event.category:file and not event.type:deletion and file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab", + "references": [ + "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", + "https://www.exploit-db.com/exploits/42146" + ], + "risk_score": 73, + "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-10a500bb-a28f-418e-ba29-ca4c8d1a9f2f.json b/packages/security_detection_engine/kibana/security_rule/rule-10a500bb-a28f-418e-ba29-ca4c8d1a9f2f.json index ee9d0eb42a7..257b5027a48 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-10a500bb-a28f-418e-ba29-ca4c8d1a9f2f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-10a500bb-a28f-418e-ba29-ca4c8d1a9f2f.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.", - "false_positives": [ - "Legitimate WebProxy Settings Modification" - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "WebProxy Settings Modification", - "query": "event.category : process and event.type : start and process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or \"/usr/libexec/xpcproxy\")", - "references": [ - "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", - "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" - ], - "risk_score": 47, - "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1539", - "name": "Steal Web Session Cookie", - "reference": "https://attack.mitre.org/techniques/T1539/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.", + "false_positives": [ + "Legitimate WebProxy Settings Modification" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "WebProxy Settings Modification", + "query": "event.category : process and event.type : start and process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or \"/usr/libexec/xpcproxy\")", + "references": [ + "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" + ], + "risk_score": 47, + "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1539", + "name": "Steal Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1539/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-11013227-0301-4a8c-b150-4db924484475.json b/packages/security_detection_engine/kibana/security_rule/rule-11013227-0301-4a8c-b150-4db924484475.json index e75e150b2ac..4d8cb579186 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-11013227-0301-4a8c-b150-4db924484475.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-11013227-0301-4a8c-b150-4db924484475.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.", - "false_positives": [ - "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment." - ], - "index": [ - "packetbeat-*", - "filebeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Abnormally Large DNS Response", - "note": "### Investigating Large DNS Responses\nDetection alerts from this rule indicate an attempt was made to exploit CVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS server. Here are some possible avenues of investigation:\n- Investigate any corresponding Intrusion Detection Signatures (IDS) alerts that can validate this detection alert.\n- Examine the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.", - "query": "event.category:(network or network_traffic) and destination.port:53 and (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes \u003e 60000", - "references": [ - "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", - "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", - "https://github.com/maxpl0it/CVE-2020-1350-DoS" - ], - "risk_score": 47, - "rule_id": "11013227-0301-4a8c-b150-4db924484475", - "severity": "medium", - "tags": [ - "Elastic", - "Network", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1210", - "name": "Exploitation of Remote Services", - "reference": "https://attack.mitre.org/techniques/T1210/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.", + "false_positives": [ + "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment." + ], + "index": [ + "packetbeat-*", + "filebeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Abnormally Large DNS Response", + "note": "### Investigating Large DNS Responses\nDetection alerts from this rule indicate an attempt was made to exploit CVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS server. Here are some possible avenues of investigation:\n- Investigate any corresponding Intrusion Detection Signatures (IDS) alerts that can validate this detection alert.\n- Examine the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.", + "query": "event.category:(network or network_traffic) and destination.port:53 and (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes \u003e 60000", + "references": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", + "https://github.com/maxpl0it/CVE-2020-1350-DoS" + ], + "risk_score": 47, + "rule_id": "11013227-0301-4a8c-b150-4db924484475", + "severity": "medium", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "11013227-0301-4a8c-b150-4db924484475", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1160dcdb-0a0a-4a79-91d8-9b84616edebd.json b/packages/security_detection_engine/kibana/security_rule/rule-1160dcdb-0a0a-4a79-91d8-9b84616edebd.json index d3b3e4b1c90..70dc5896085 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1160dcdb-0a0a-4a79-91d8-9b84616edebd.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1160dcdb-0a0a-4a79-91d8-9b84616edebd.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential DLL SideLoading via Trusted Microsoft Programs", - "query": "event.category:process and event.type:(start or process_started) and process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) and not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or process.executable:(\"C:\\Windows\\explorer.exe\" or C\\:\\\\Program?Files\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or C\\:\\\\Program?Files?\\(x86\\)\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or \"C:\\Windows\\System32\\Dism.exe\" or \"C:\\Windows\\SysWOW64\\Dism.exe\" or \"C:\\Windows\\System32\\inetsrv\\w3wp.exe\"))", - "risk_score": 73, - "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential DLL SideLoading via Trusted Microsoft Programs", + "query": "event.category:process and event.type:(start or process_started) and process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) and not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or process.executable:(\"C:\\Windows\\explorer.exe\" or C\\:\\\\Program?Files\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or C\\:\\\\Program?Files?\\(x86\\)\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or \"C:\\Windows\\System32\\Dism.exe\" or \"C:\\Windows\\SysWOW64\\Dism.exe\" or \"C:\\Windows\\System32\\inetsrv\\w3wp.exe\"))", + "risk_score": 73, + "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json b/packages/security_detection_engine/kibana/security_rule/rule-1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json index edbfc1a1050..da520c12c9f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", - "references": [ - "https://github.com/AzAgarampur/byeintegrity-uac" - ], - "risk_score": 47, - "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Access Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass via Windows Firewall Snap-In Hijack", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", + "references": [ + "https://github.com/AzAgarampur/byeintegrity-uac" + ], + "risk_score": 47, + "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Access Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-120559c6-5e24-49f4-9e30-8ffe697df6b9.json b/packages/security_detection_engine/kibana/security_rule/rule-120559c6-5e24-49f4-9e30-8ffe697df6b9.json index 0e50c1b8f91..8ce5cee5e0e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-120559c6-5e24-49f4-9e30-8ffe697df6b9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-120559c6-5e24-49f4-9e30-8ffe697df6b9.json @@ -1,48 +1,52 @@ { - "author": [ - "Elastic" - ], - "description": "The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.", - "false_positives": [ - "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "User Discovery via Whoami", - "query": "event.category:process and event.type:(start or process_started) and process.name:whoami", - "risk_score": 21, - "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1033", - "name": "System Owner/User Discovery", - "reference": "https://attack.mitre.org/techniques/T1033/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.", + "false_positives": [ + "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "User Discovery via Whoami", + "query": "event.category:process and event.type:(start or process_started) and process.name:whoami", + "risk_score": 21, + "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-125417b8-d3df-479f-8418-12d7e034fee3.json b/packages/security_detection_engine/kibana/security_rule/rule-125417b8-d3df-479f-8418-12d7e034fee3.json index 651c44183a5..7201cb44d10 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-125417b8-d3df-479f-8418-12d7e034fee3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-125417b8-d3df-479f-8418-12d7e034fee3.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Disable IPTables or Firewall", - "query": "event.category:process and event.type:(start or process_started) and process.name:ufw and process.args:(allow or disable or reset) or (((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(firewalld or ip6tables or iptables))", - "risk_score": 47, - "rule_id": "125417b8-d3df-479f-8418-12d7e034fee3", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Disable IPTables or Firewall", + "query": "event.category:process and event.type:(start or process_started) and process.name:ufw and process.args:(allow or disable or reset) or (((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(firewalld or ip6tables or iptables))", + "risk_score": 47, + "rule_id": "125417b8-d3df-479f-8418-12d7e034fee3", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "125417b8-d3df-479f-8418-12d7e034fee3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-12f07955-1674-44f7-86b5-c35da0a6f41a.json b/packages/security_detection_engine/kibana/security_rule/rule-12f07955-1674-44f7-86b5-c35da0a6f41a.json index c96dd71ab6c..d43217bf500 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-12f07955-1674-44f7-86b5-c35da0a6f41a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-12f07955-1674-44f7-86b5-c35da0a6f41a.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Cmd Execution via WMI", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2\u003e\u00261\", \"1\u003e\")\n", - "risk_score": 47, - "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1047", - "name": "Windows Management Instrumentation", - "reference": "https://attack.mitre.org/techniques/T1047/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Cmd Execution via WMI", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2\u003e\u00261\", \"1\u003e\")\n", + "risk_score": 47, + "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "12f07955-1674-44f7-86b5-c35da0a6f41a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-139c7458-566a-410c-a5cd-f80238d6a5cd.json b/packages/security_detection_engine/kibana/security_rule/rule-139c7458-566a-410c-a5cd-f80238d6a5cd.json index ca53df8b0c7..16b21b3f471 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-139c7458-566a-410c-a5cd-f80238d6a5cd.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-139c7458-566a-410c-a5cd-f80238d6a5cd.json @@ -1,43 +1,47 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to gain initial access to network resources.", - "false_positives": [ - "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SQL Traffic to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1433 or 1521 or 3306 or 5432) or event.dataset:zeek.mysql) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 47, - "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to gain initial access to network resources.", + "false_positives": [ + "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SQL Traffic to the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1433 or 1521 or 3306 or 5432) or event.dataset:zeek.mysql) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", + "risk_score": 47, + "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "139c7458-566a-410c-a5cd-f80238d6a5cd", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-141e9b3a-ff37-4756-989d-05d7cbf35b0e.json b/packages/security_detection_engine/kibana/security_rule/rule-141e9b3a-ff37-4756-989d-05d7cbf35b0e.json index ce9ff1d7dfb..78309b46719 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-141e9b3a-ff37-4756-989d-05d7cbf35b0e.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-141e9b3a-ff37-4756-989d-05d7cbf35b0e.json @@ -1,68 +1,72 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.", - "false_positives": [ - "Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure External Guest User Invitation", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)", - "references": [ - "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0" - ], - "risk_score": 21, - "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.", + "false_positives": [ + "Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure External Guest User Invitation", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)", + "references": [ + "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0" + ], + "risk_score": 21, + "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-143cb236-0956-4f42-a706-814bcaa0cf5a.json b/packages/security_detection_engine/kibana/security_rule/rule-143cb236-0956-4f42-a706-814bcaa0cf5a.json index 77fddb8d1f9..8e2e9b40f34 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-143cb236-0956-4f42-a706-814bcaa0cf5a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-143cb236-0956-4f42-a706-814bcaa0cf5a.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "RPC (Remote Procedure Call) from the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )", - "risk_score": 73, - "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "RPC (Remote Procedure Call) from the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )", + "risk_score": 73, + "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "143cb236-0956-4f42-a706-814bcaa0cf5a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-14ed1aa9-ebfd-4cf9-a463-0ac59ec55204.json b/packages/security_detection_engine/kibana/security_rule/rule-14ed1aa9-ebfd-4cf9-a463-0ac59ec55204.json index 1fda6f2e141..668dd64198b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-14ed1aa9-ebfd-4cf9-a463-0ac59ec55204.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-14ed1aa9-ebfd-4cf9-a463-0ac59ec55204.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Windows operating systems are utilizing the time provider architecture in order to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Persistence via Time Provider Modification", - "query": "registry where event.type:\"change\" and\n registry.path:\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\" and\n registry.data.strings:\"*.dll\"\n", - "references": [ - "https://pentestlab.blog/2019/10/22/persistence-time-providers/" - ], - "risk_score": 47, - "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.003", - "name": "Time Providers", - "reference": "https://attack.mitre.org/techniques/T1547/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows operating systems are utilizing the time provider architecture in order to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Persistence via Time Provider Modification", + "query": "registry where event.type:\"change\" and\n registry.path:\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\" and\n registry.data.strings:\"*.dll\"\n", + "references": [ + "https://pentestlab.blog/2019/10/22/persistence-time-providers/" + ], + "risk_score": 47, + "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.003", + "name": "Time Providers", + "reference": "https://attack.mitre.org/techniques/T1547/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-15c0b7a7-9c34-4869-b25b-fa6518414899.json b/packages/security_detection_engine/kibana/security_rule/rule-15c0b7a7-9c34-4869-b25b-fa6518414899.json index 4fa724c324f..72e5a7e4b08 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-15c0b7a7-9c34-4869-b25b-fa6518414899.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-15c0b7a7-9c34-4869-b25b-fa6518414899.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Remote File Download via Desktopimgdownldr Utility", - "query": "event.category:process and event.type:(start or process_started) and (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe) and process.args:/lockscreenurl\\:http*", - "references": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" - ], - "risk_score": 47, - "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Remote File Download via Desktopimgdownldr Utility", + "query": "event.category:process and event.type:(start or process_started) and (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe) and process.args:/lockscreenurl\\:http*", + "references": [ + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" + ], + "risk_score": 47, + "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "15c0b7a7-9c34-4869-b25b-fa6518414899", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-15dacaa0-5b90-466b-acab-63435a59701a.json b/packages/security_detection_engine/kibana/security_rule/rule-15dacaa0-5b90-466b-acab-63435a59701a.json index 0861d72d0bb..d7b7da93b7d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-15dacaa0-5b90-466b-acab-63435a59701a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-15dacaa0-5b90-466b-acab-63435a59701a.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN).", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Virtual Private Network Connection Attempt", - "query": "process where event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", - "references": [ - "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", - "https://www.unix.com/man-page/osx/8/networksetup/", - "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx" - ], - "risk_score": 21, - "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN).", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Virtual Private Network Connection Attempt", + "query": "process where event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", + "references": [ + "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", + "https://www.unix.com/man-page/osx/8/networksetup/", + "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx" + ], + "risk_score": 21, + "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "15dacaa0-5b90-466b-acab-63435a59701a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-16280f1e-57e6-4242-aa21-bb4d16f13b2f.json b/packages/security_detection_engine/kibana/security_rule/rule-16280f1e-57e6-4242-aa21-bb4d16f13b2f.json index 53bf08f19aa..8fa50bbe1cc 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-16280f1e-57e6-4242-aa21-bb4d16f13b2f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-16280f1e-57e6-4242-aa21-bb4d16f13b2f.json @@ -1,36 +1,40 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Automation Runbook Created or Modified", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name: ( \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\" or \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\" or \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\" ) and event.outcome:(Success or success)", - "references": [ - "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", - "https://github.com/hausec/PowerZure", - "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", - "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" - ], - "risk_score": 21, - "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Automation Runbook Created or Modified", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name: ( \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\" or \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\" or \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\" ) and event.outcome:(Success or success)", + "references": [ + "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", + "https://github.com/hausec/PowerZure", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" + ], + "risk_score": 21, + "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-16904215-2c95-4ac8-bf5c-12354e047192.json b/packages/security_detection_engine/kibana/security_rule/rule-16904215-2c95-4ac8-bf5c-12354e047192.json index 5e5e90a6825..7469e2d1354 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-16904215-2c95-4ac8-bf5c-12354e047192.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-16904215-2c95-4ac8-bf5c-12354e047192.json @@ -1,71 +1,75 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Kerberos Attack via Bifrost", - "query": "event.category:process and event.type:start and process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))", - "references": [ - "https://github.com/its-a-feature/bifrost" - ], - "risk_score": 73, - "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Credential Access", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Kerberos Attack via Bifrost", + "query": "event.category:process and event.type:start and process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))", + "references": [ + "https://github.com/its-a-feature/bifrost" + ], + "risk_score": 73, + "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.003", + "name": "Pass the Ticket", + "reference": "https://attack.mitre.org/techniques/T1550/003/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1550", - "name": "Use Alternate Authentication Material", - "reference": "https://attack.mitre.org/techniques/T1550/", - "subtechnique": [ - { - "id": "T1550.003", - "name": "Pass the Ticket", - "reference": "https://attack.mitre.org/techniques/T1550/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1558", - "name": "Steal or Forge Kerberos Tickets", - "reference": "https://attack.mitre.org/techniques/T1558/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "16904215-2c95-4ac8-bf5c-12354e047192", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-169f3a93-efc7-4df2-94d6-0d9438c310d1.json b/packages/security_detection_engine/kibana/security_rule/rule-169f3a93-efc7-4df2-94d6-0d9438c310d1.json index 425737dd84b..16f30dfce24 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-169f3a93-efc7-4df2-94d6-0d9438c310d1.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-169f3a93-efc7-4df2-94d6-0d9438c310d1.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.", - "false_positives": [ - "A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Group Creation", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html" - ], - "risk_score": 21, - "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/", - "subtechnique": [ - { - "id": "T1136.003", - "name": "Cloud Account", - "reference": "https://attack.mitre.org/techniques/T1136/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.", + "false_positives": [ + "A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Group Creation", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html" + ], + "risk_score": 21, + "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.003", + "name": "Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1136/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-16a52c14-7883-47af-8745-9357803f0d4c.json b/packages/security_detection_engine/kibana/security_rule/rule-16a52c14-7883-47af-8745-9357803f0d4c.json index c2769f37eaf..f96240bebf2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-16a52c14-7883-47af-8745-9357803f0d4c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-16a52c14-7883-47af-8745-9357803f0d4c.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Component Object Model Hijacking", - "query": "registry where\n /* uncomment once length is stable length(bytes_written_string) \u003e 0 and */\n (registry.path : \"HK*}\\\\InprocServer32\\\\\" and registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") \n or\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\"HKEY_USERS\\\\*Classes\\\\*\\\\InprocXServer32\\\\\", \n \"HKEY_USERS\\\\*Classes\\\\*\\\\LocalServer32\\\\\", \n \"HKEY_USERS\\\\*Classes\\\\*\\\\DelegateExecute\\\\\", \n \"HKEY_USERS\\\\*Classes\\\\*\\\\TreatAs\\\\\", \n \"HKEY_USERS\\\\*Classes\\\\CLSID\\\\*\\\\ScriptletURL\\\\\") and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\")\n", - "references": [ - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" - ], - "risk_score": 47, - "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.015", - "name": "Component Object Model Hijacking", - "reference": "https://attack.mitre.org/techniques/T1546/015/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Component Object Model Hijacking", + "query": "registry where\n /* uncomment once length is stable length(bytes_written_string) \u003e 0 and */\n (registry.path : \"HK*}\\\\InprocServer32\\\\\" and registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") \n or\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\"HKEY_USERS\\\\*Classes\\\\*\\\\InprocXServer32\\\\\", \n \"HKEY_USERS\\\\*Classes\\\\*\\\\LocalServer32\\\\\", \n \"HKEY_USERS\\\\*Classes\\\\*\\\\DelegateExecute\\\\\", \n \"HKEY_USERS\\\\*Classes\\\\*\\\\TreatAs\\\\\", \n \"HKEY_USERS\\\\*Classes\\\\CLSID\\\\*\\\\ScriptletURL\\\\\") and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\")\n", + "references": [ + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" + ], + "risk_score": 47, + "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.015", + "name": "Component Object Model Hijacking", + "reference": "https://attack.mitre.org/techniques/T1546/015/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "16a52c14-7883-47af-8745-9357803f0d4c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9c59-fc0fa58336a5.json b/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9c59-fc0fa58336a5.json index 78cc4929701..4394c64e5df 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9c59-fc0fa58336a5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9c59-fc0fa58336a5.json @@ -1,31 +1,35 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", - "false_positives": [ - "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "windows_anomalous_user_name_ecs", - "name": "Unusual Windows Username", - "note": "### Investigating an Unusual Windows User ###\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", + "false_positives": [ + "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "windows_anomalous_user_name_ecs", + "name": "Unusual Windows Username", + "note": "### Investigating an Unusual Windows User ###\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9c71-fc0fa58338c7.json b/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9c71-fc0fa58338c7.json index f1bc14d150b..fbe13bd561a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9c71-fc0fa58338c7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9c71-fc0fa58338c7.json @@ -1,30 +1,34 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "windows_anomalous_service", - "name": "Unusual Windows Service", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "windows_anomalous_service", + "name": "Unusual Windows Service", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9d60-fc0fa58337b6.json b/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9d60-fc0fa58337b6.json index 6d746dabacf..750621d5de6 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9d60-fc0fa58337b6.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9d60-fc0fa58337b6.json @@ -1,30 +1,34 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", - "false_positives": [ - "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "windows_anomalous_script", - "name": "Suspicious Powershell Script", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", + "false_positives": [ + "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "windows_anomalous_script", + "name": "Suspicious Powershell Script", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9d82-fc0fa58449c8.json b/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9d82-fc0fa58449c8.json index 291a6ffc8c1..b0b28a0049c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9d82-fc0fa58449c8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9d82-fc0fa58449c8.json @@ -1,30 +1,34 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", - "false_positives": [ - "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "windows_rare_user_runas_event", - "name": "Unusual Windows User Privilege Elevation Activity", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", + "false_positives": [ + "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "windows_rare_user_runas_event", + "name": "Unusual Windows User Privilege Elevation Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9e93-fc0fa69550c9.json b/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9e93-fc0fa69550c9.json index 5693587584c..aaafe8b0666 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9e93-fc0fa69550c9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1781d055-5c66-4adf-9e93-fc0fa69550c9.json @@ -1,31 +1,35 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", - "false_positives": [ - "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "windows_rare_user_type10_remote_login", - "name": "Unusual Windows Remote User", - "note": "### Investigating an Unusual Windows User ###\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", + "false_positives": [ + "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "windows_rare_user_type10_remote_login", + "name": "Unusual Windows Remote User", + "note": "### Investigating an Unusual Windows User ###\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json b/packages/security_detection_engine/kibana/security_rule/rule-17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json index 1532954c783..caf3f45c359 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json @@ -1,29 +1,33 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Execution - Short Program Name", - "query": "process where event.type in (\"start\", \"process_started\") and length(process.name) \u003e 0 and\n length(process.name) == 5 and host.os.name == \"Windows\" and length(process.pe.original_file_name) \u003e 5\n", - "risk_score": 47, - "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution - Short Program Name", + "query": "process where event.type in (\"start\", \"process_started\") and length(process.name) \u003e 0 and\n length(process.name) == 5 and host.os.name == \"Windows\" and length(process.pe.original_file_name) \u003e 5\n", + "risk_score": 47, + "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-17e68559-b274-4948-ad0b-f8415bb31126.json b/packages/security_detection_engine/kibana/security_rule/rule-17e68559-b274-4948-ad0b-f8415bb31126.json index 21797510502..c125f41854f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-17e68559-b274-4948-ad0b-f8415bb31126.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-17e68559-b274-4948-ad0b-f8415bb31126.json @@ -1,29 +1,33 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", - "false_positives": [ - "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "packetbeat_rare_server_domain", - "name": "Unusual Network Destination Domain Name", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", - "severity": "low", - "tags": [ - "Elastic", - "Network", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", + "false_positives": [ + "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_server_domain", + "name": "Unusual Network Destination Domain Name", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "17e68559-b274-4948-ad0b-f8415bb31126", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-184dfe52-2999-42d9-b9d1-d1ca54495a61.json b/packages/security_detection_engine/kibana/security_rule/rule-184dfe52-2999-42d9-b9d1-d1ca54495a61.json index 63f221316cf..e06f969bb97 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-184dfe52-2999-42d9-b9d1-d1ca54495a61.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-184dfe52-2999-42d9-b9d1-d1ca54495a61.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.", - "false_positives": [ - "Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Logging Sink Modification", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success", - "references": [ - "https://cloud.google.com/logging/docs/export#how_sinks_work" - ], - "risk_score": 21, - "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1537", - "name": "Transfer Data to Cloud Account", - "reference": "https://attack.mitre.org/techniques/T1537/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.", + "false_positives": [ + "Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Logging Sink Modification", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success", + "references": [ + "https://cloud.google.com/logging/docs/export#how_sinks_work" + ], + "risk_score": 21, + "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "184dfe52-2999-42d9-b9d1-d1ca54495a61", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-19de8096-e2b0-4bd8-80c9-34a820813fff.json b/packages/security_detection_engine/kibana/security_rule/rule-19de8096-e2b0-4bd8-80c9-34a820813fff.json index e7dcdb2deb4..663b635f17c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-19de8096-e2b0-4bd8-80c9-34a820813fff.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-19de8096-e2b0-4bd8-80c9-34a820813fff.json @@ -1,30 +1,34 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.", - "false_positives": [ - "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges." - ], - "from": "now-60m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "rare_error_code", - "name": "Rare AWS Error Code", - "note": "### Investigating Unusual CloudTrail Error Activity ###\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, manifested only very recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts.\n- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "ML" - ], - "type": "machine_learning", - "version": 3 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.", + "false_positives": [ + "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges." + ], + "from": "now-60m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_error_code", + "name": "Rare AWS Error Code", + "note": "### Investigating Unusual CloudTrail Error Activity ###\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, manifested only very recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts.\n- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "ML" + ], + "type": "machine_learning", + "version": 3 + }, + "id": "19de8096-e2b0-4bd8-80c9-34a820813fff", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1a36cace-11a7-43a8-9a10-b497c5a02cd3.json b/packages/security_detection_engine/kibana/security_rule/rule-1a36cace-11a7-43a8-9a10-b497c5a02cd3.json index a2bcd3b1e86..73c4d92c27c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1a36cace-11a7-43a8-9a10-b497c5a02cd3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1a36cace-11a7-43a8-9a10-b497c5a02cd3.json @@ -1,60 +1,64 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment.", - "false_positives": [ - "Application credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Application credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Application Credential Modification", - "note": "The Azure Fleet Integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)", - "references": [ - "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" - ], - "risk_score": 47, - "rule_id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1550", - "name": "Use Alternate Authentication Material", - "reference": "https://attack.mitre.org/techniques/T1550/", - "subtechnique": [ - { - "id": "T1550.001", - "name": "Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1550/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment.", + "false_positives": [ + "Application credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Application credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Application Credential Modification", + "note": "The Azure Fleet Integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)", + "references": [ + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" + ], + "risk_score": 47, + "rule_id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1a6075b0-7479-450e-8fe7-b8b8438ac570.json b/packages/security_detection_engine/kibana/security_rule/rule-1a6075b0-7479-450e-8fe7-b8b8438ac570.json index a1535ec6888..d4045461312 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1a6075b0-7479-450e-8fe7-b8b8438ac570.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1a6075b0-7479-450e-8fe7-b8b8438ac570.json @@ -1,57 +1,61 @@ { - "author": [ - "Elastic" - ], - "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Execution of COM object via Xwizard", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name : \"xwizard.exe\" and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", - "references": [ - "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", - "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/" - ], - "risk_score": 47, - "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1559", - "name": "Inter-Process Communication", - "reference": "https://attack.mitre.org/techniques/T1559/", - "subtechnique": [ - { - "id": "T1559.001", - "name": "Component Object Model", - "reference": "https://attack.mitre.org/techniques/T1559/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of COM object via Xwizard", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name : \"xwizard.exe\" and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", + "references": [ + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/" + ], + "risk_score": 47, + "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json b/packages/security_detection_engine/kibana/security_rule/rule-1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json index 18372bf9984..7cc137e7a79 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.", - "false_positives": [ - "Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudTrail Log Suspended", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success", - "references": [ - "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html" - ], - "risk_score": 47, - "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.", + "false_positives": [ + "Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudTrail Log Suspended", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success", + "references": [ + "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html" + ], + "risk_score": 47, + "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1aa9181a-492b-4c01-8b16-fa0735786b2b.json b/packages/security_detection_engine/kibana/security_rule/rule-1aa9181a-492b-4c01-8b16-fa0735786b2b.json index 01864704917..160745552f8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1aa9181a-492b-4c01-8b16-fa0735786b2b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1aa9181a-492b-4c01-8b16-fa0735786b2b.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "User Account Creation", - "query": "event.category:process and event.type:(start or process_started) and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))", - "risk_score": 21, - "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "User Account Creation", + "query": "event.category:process and event.type:(start or process_started) and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))", + "risk_score": 21, + "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1b21abcc-4d9f-4b08-a7f5-316f5f94b973.json b/packages/security_detection_engine/kibana/security_rule/rule-1b21abcc-4d9f-4b08-a7f5-316f5f94b973.json index 5fbadb31917..065c244b2f2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1b21abcc-4d9f-4b08-a7f5-316f5f94b973.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1b21abcc-4d9f-4b08-a7f5-316f5f94b973.json @@ -1,47 +1,51 @@ { - "author": [ - "Elastic" - ], - "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.", - "false_positives": [ - "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Connection to Internal Network via Telnet", - "query": "sequence by process.entity_id\n [process where process.name == \"telnet\" and event.type == \"start\"]\n [network where process.name == \"telnet\" and\n cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"FE80::/10\") and\n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"::1/128\")]\n", - "risk_score": 47, - "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "eql", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.", + "false_positives": [ + "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to Internal Network via Telnet", + "query": "sequence by process.entity_id\n [process where process.name == \"telnet\" and event.type == \"start\"]\n [network where process.name == \"telnet\" and\n cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"FE80::/10\") and\n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"::1/128\")]\n", + "risk_score": 47, + "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json b/packages/security_detection_engine/kibana/security_rule/rule-1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json index def04ade3fd..6f77bf5d897 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json @@ -1,72 +1,76 @@ { - "author": [ - "Elastic" - ], - "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Possible Consent Grant Attack via Azure-Registered Application", - "note": "- The Azure Filebeat module must be enabled to use this rule.\n- In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account.\n- Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.\n- Security analysts should review the list of trusted applications for any suspicious items.\n", - "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and ( azure.activitylogs.operation_name:\"Consent to application\" or azure.auditlogs.operation_name:\"Consent to application\" or o365.audit.Operation:\"Consent to application.\" ) and event.outcome:(Success or success)", - "references": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide" - ], - "risk_score": 47, - "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Possible Consent Grant Attack via Azure-Registered Application", + "note": "- The Azure Filebeat module must be enabled to use this rule.\n- In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account.\n- Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.\n- Security analysts should review the list of trusted applications for any suspicious items.\n", + "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and ( azure.activitylogs.operation_name:\"Consent to application\" or azure.auditlogs.operation_name:\"Consent to application\" or o365.audit.Operation:\"Consent to application.\" ) and event.outcome:(Success or success)", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide" + ], + "risk_score": 47, + "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.002", - "name": "Spearphishing Link", - "reference": "https://attack.mitre.org/techniques/T1566/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1528", - "name": "Steal Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1528/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1cd01db9-be24-4bef-8e7c-e923f0ff78ab.json b/packages/security_detection_engine/kibana/security_rule/rule-1cd01db9-be24-4bef-8e7c-e923f0ff78ab.json index b23d2d5ef64..20d26b6ebac 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1cd01db9-be24-4bef-8e7c-e923f0ff78ab.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1cd01db9-be24-4bef-8e7c-e923f0ff78ab.json @@ -1,48 +1,52 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.", - "false_positives": [ - "WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Incoming Execution via WinRM Remote Shell", - "query": "sequence by host.id with maxspan=30s\n [network where process.pid == 4 and network.direction == \"incoming\" and\n destination.port in (5985, 5986) and network.protocol == \"http\" and not source.address in (\"::1\", \"127.0.0.1\")\n ]\n [process where event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.name : \"conhost.exe\"]\n", - "risk_score": 47, - "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.", + "false_positives": [ + "WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming Execution via WinRM Remote Shell", + "query": "sequence by host.id with maxspan=30s\n [network where process.pid == 4 and network.direction == \"incoming\" and\n destination.port in (5985, 5986) and network.protocol == \"http\" and not source.address in (\"::1\", \"127.0.0.1\")\n ]\n [process where event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.name : \"conhost.exe\"]\n", + "risk_score": 47, + "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1d276579-3380-4095-ad38-e596a01bc64f.json b/packages/security_detection_engine/kibana/security_rule/rule-1d276579-3380-4095-ad38-e596a01bc64f.json index 67d76cf261d..6597453852d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1d276579-3380-4095-ad38-e596a01bc64f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1d276579-3380-4095-ad38-e596a01bc64f.json @@ -1,45 +1,49 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote File Download via Script Interpreter", - "query": "sequence by host.id, process.entity_id\n [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction == \"outgoing\" and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", - "risk_score": 47, - "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via Script Interpreter", + "query": "sequence by host.id, process.entity_id\n [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction == \"outgoing\" and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", + "risk_score": 47, + "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "1d276579-3380-4095-ad38-e596a01bc64f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1d72d014-e2ab-4707-b056-9b96abe7b511.json b/packages/security_detection_engine/kibana/security_rule/rule-1d72d014-e2ab-4707-b056-9b96abe7b511.json index c9f734335f9..76349cce5b3 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1d72d014-e2ab-4707-b056-9b96abe7b511.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1d72d014-e2ab-4707-b056-9b96abe7b511.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies domains commonly used by adversaries for post-exploitation IP reconnaissance. It is common for adversaries to test for Internet access and acquire their public IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.", - "false_positives": [ - "If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables." - ], - "index": [ - "packetbeat-*" - ], - "language": "lucene", - "license": "Elastic License v2", - "name": "Public IP Reconnaissance Activity", - "note": "This rule takes HTTP redirects and HTTP referrer's into account, however neither HTTP redirect status codes nor HTTP referrer's are visible with TLS traffic which can lead to multiple events per alert.", - "query": "event.category:network AND event.type:connection AND server.domain:(ipecho.net OR ipinfo.io OR ifconfig.co OR ifconfig.me OR icanhazip.com OR myexternalip.com OR api.ipify.org OR bot.whatismyipaddress.com OR ip.anysrc.net OR wtfismyip.com) AND NOT http.response.status_code:302 AND status:OK AND NOT _exists_:http.request.referrer", - "references": [ - "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation", - "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" - ], - "risk_score": 21, - "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511", - "severity": "low", - "tags": [ - "Elastic", - "Network", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1016", - "name": "System Network Configuration Discovery", - "reference": "https://attack.mitre.org/techniques/T1016/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies domains commonly used by adversaries for post-exploitation IP reconnaissance. It is common for adversaries to test for Internet access and acquire their public IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.", + "false_positives": [ + "If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables." + ], + "index": [ + "packetbeat-*" + ], + "language": "lucene", + "license": "Elastic License v2", + "name": "Public IP Reconnaissance Activity", + "note": "This rule takes HTTP redirects and HTTP referrer's into account, however neither HTTP redirect status codes nor HTTP referrer's are visible with TLS traffic which can lead to multiple events per alert.", + "query": "event.category:network AND event.type:connection AND server.domain:(ipecho.net OR ipinfo.io OR ifconfig.co OR ifconfig.me OR icanhazip.com OR myexternalip.com OR api.ipify.org OR bot.whatismyipaddress.com OR ip.anysrc.net OR wtfismyip.com) AND NOT http.response.status_code:302 AND status:OK AND NOT _exists_:http.request.referrer", + "references": [ + "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation", + "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" + ], + "risk_score": 21, + "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "1d72d014-e2ab-4707-b056-9b96abe7b511", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1dcc51f6-ba26-49e7-9ef4-2655abb2361e.json b/packages/security_detection_engine/kibana/security_rule/rule-1dcc51f6-ba26-49e7-9ef4-2655abb2361e.json index f8f389254e7..51e42ed9301 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1dcc51f6-ba26-49e7-9ef4-2655abb2361e.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1dcc51f6-ba26-49e7-9ef4-2655abb2361e.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "query": "process where event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", - "risk_score": 47, - "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Access Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", + "query": "process where event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", + "risk_score": 47, + "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Access Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1defdd62-cd8d-426e-a246-81a37751bb2b.json b/packages/security_detection_engine/kibana/security_rule/rule-1defdd62-cd8d-426e-a246-81a37751bb2b.json index 5e1c51bf2a3..567fc9c1d95 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1defdd62-cd8d-426e-a246-81a37751bb2b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1defdd62-cd8d-426e-a246-81a37751bb2b.json @@ -1,66 +1,70 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Execution of File Written or Modified by PDF Reader", - "query": "sequence with maxspan=2h\n [file where event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"AcroRd32.exe\" or\n process.name : \"rdrcef.exe\" or\n process.name : \"FoxitPhantomPDF.exe\" or\n process.name : \"FoxitReader.exe\") and\n not (file.name : \"FoxitPhantomPDF.exe\" or\n file.name : \"FoxitPhantomPDFUpdater.exe\" or\n file.name : \"FoxitReader.exe\" or\n file.name : \"FoxitReaderUpdater.exe\" or\n file.name : \"AcroRd32.exe\" or\n file.name : \"rdrcef.exe\")\n ] by host.id, file.path\n [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n", - "risk_score": 21, - "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of File Written or Modified by PDF Reader", + "query": "sequence with maxspan=2h\n [file where event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"AcroRd32.exe\" or\n process.name : \"rdrcef.exe\" or\n process.name : \"FoxitPhantomPDF.exe\" or\n process.name : \"FoxitReader.exe\") and\n not (file.name : \"FoxitPhantomPDF.exe\" or\n file.name : \"FoxitPhantomPDFUpdater.exe\" or\n file.name : \"FoxitReader.exe\" or\n file.name : \"FoxitReaderUpdater.exe\" or\n file.name : \"AcroRd32.exe\" or\n file.name : \"rdrcef.exe\")\n ] by host.id, file.path\n [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n", + "risk_score": 21, + "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - }, - { - "id": "T1566.002", - "name": "Spearphishing Link", - "reference": "https://attack.mitre.org/techniques/T1566/002/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 3 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "1defdd62-cd8d-426e-a246-81a37751bb2b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1e0b832e-957e-43ae-b319-db82d228c908.json b/packages/security_detection_engine/kibana/security_rule/rule-1e0b832e-957e-43ae-b319-db82d228c908.json index 67e901fa297..fe41db02617 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1e0b832e-957e-43ae-b319-db82d228c908.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1e0b832e-957e-43ae-b319-db82d228c908.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.", - "false_positives": [ - "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Storage Account Key Regenerated", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\" and event.outcome:(Success or success)", - "references": [ - "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal" - ], - "risk_score": 21, - "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1528", - "name": "Steal Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1528/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.", + "false_positives": [ + "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Storage Account Key Regenerated", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\" and event.outcome:(Success or success)", + "references": [ + "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal" + ], + "risk_score": 21, + "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "1e0b832e-957e-43ae-b319-db82d228c908", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1e9fc667-9ff1-4b33-9f40-fefca8537eb0.json b/packages/security_detection_engine/kibana/security_rule/rule-1e9fc667-9ff1-4b33-9f40-fefca8537eb0.json index 4a928ac184b..bd8c561a7a5 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1e9fc667-9ff1-4b33-9f40-fefca8537eb0.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1e9fc667-9ff1-4b33-9f40-fefca8537eb0.json @@ -1,59 +1,63 @@ { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.", - "false_positives": [ - "Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "linux_rare_sudo_user", - "name": "Unusual Sudo Activity", - "risk_score": 21, - "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.", + "false_positives": [ + "Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "linux_rare_sudo_user", + "name": "Unusual Sudo Activity", + "risk_score": 21, + "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/" - } - ] - } - ], - "type": "machine_learning", - "version": 2 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + } + ], + "type": "machine_learning", + "version": 2 + }, + "id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1faec04b-d902-4f89-8aff-92cd9043c16f.json b/packages/security_detection_engine/kibana/security_rule/rule-1faec04b-d902-4f89-8aff-92cd9043c16f.json index 524fb662b61..97d46a27d99 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1faec04b-d902-4f89-8aff-92cd9043c16f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1faec04b-d902-4f89-8aff-92cd9043c16f.json @@ -1,27 +1,31 @@ { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", - "false_positives": [ - "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "linux_rare_metadata_user", - "name": "Unusual Linux User Calling the Metadata Service", - "risk_score": 21, - "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 2 + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "false_positives": [ + "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "linux_rare_metadata_user", + "name": "Unusual Linux User Calling the Metadata Service", + "risk_score": 21, + "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 2 + }, + "id": "1faec04b-d902-4f89-8aff-92cd9043c16f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-1fe3b299-fbb5-4657-a937-1d746f2c711a.json b/packages/security_detection_engine/kibana/security_rule/rule-1fe3b299-fbb5-4657-a937-1d746f2c711a.json index a1be271b0c6..b8cedeb2db2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-1fe3b299-fbb5-4657-a937-1d746f2c711a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-1fe3b299-fbb5-4657-a937-1d746f2c711a.json @@ -1,45 +1,49 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Network Activity from a Windows System Binary", - "query": "sequence by process.entity_id with maxspan=5m\n [process where event.type in (\"start\", \"process_started\") and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", - "risk_score": 21, - "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Network Activity from a Windows System Binary", + "query": "sequence by process.entity_id with maxspan=5m\n [process where event.type in (\"start\", \"process_started\") and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", + "risk_score": 21, + "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-2003cdc8-8d83-4aa5-b132-1f9a8eb48514.json b/packages/security_detection_engine/kibana/security_rule/rule-2003cdc8-8d83-4aa5-b132-1f9a8eb48514.json index 9fe769c1f54..f304f9665d4 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-2003cdc8-8d83-4aa5-b132-1f9a8eb48514.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-2003cdc8-8d83-4aa5-b132-1f9a8eb48514.json @@ -1,24 +1,28 @@ { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Exploit - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)", - "risk_score": 73, - "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", - "severity": "high", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Exploit - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)", + "risk_score": 73, + "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 5 + }, + "id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-201200f1-a99b-43fb-88ed-f65a45c4972c.json b/packages/security_detection_engine/kibana/security_rule/rule-201200f1-a99b-43fb-88ed-f65a45c4972c.json index 1972d4cbe2c..cfd8d5ad3da 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-201200f1-a99b-43fb-88ed-f65a45c4972c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-201200f1-a99b-43fb-88ed-f65a45c4972c.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious .NET code execution. connections.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious .NET Code Compilation", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", - "risk_score": 47, - "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious .NET code execution. connections.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious .NET Code Compilation", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", + "risk_score": 47, + "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "201200f1-a99b-43fb-88ed-f65a45c4972c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-203ab79b-239b-4aa5-8e54-fc50623ee8e4.json b/packages/security_detection_engine/kibana/security_rule/rule-203ab79b-239b-4aa5-8e54-fc50623ee8e4.json index 701b2ae0587..33fa56c2170 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-203ab79b-239b-4aa5-8e54-fc50623ee8e4.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-203ab79b-239b-4aa5-8e54-fc50623ee8e4.json @@ -1,60 +1,64 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (e.g. Microsoft). It could also allow an attacker to decrypt SSL traffic.", - "false_positives": [ - "Certain applications may install root certificates for the purpose of inspecting SSL traffic." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Creation or Modification of Root Certificate", - "query": "registry where event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n )\n", - "references": [ - "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", - "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate" - ], - "risk_score": 21, - "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1553", - "name": "Subvert Trust Controls", - "reference": "https://attack.mitre.org/techniques/T1553/", - "subtechnique": [ - { - "id": "T1553.004", - "name": "Install Root Certificate", - "reference": "https://attack.mitre.org/techniques/T1553/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (e.g. Microsoft). It could also allow an attacker to decrypt SSL traffic.", + "false_positives": [ + "Certain applications may install root certificates for the purpose of inspecting SSL traffic." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of Root Certificate", + "query": "registry where event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n )\n", + "references": [ + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate" + ], + "risk_score": 21, + "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.004", + "name": "Install Root Certificate", + "reference": "https://attack.mitre.org/techniques/T1553/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-20457e4f-d1de-4b92-ae69-142e27a4342a.json b/packages/security_detection_engine/kibana/security_rule/rule-20457e4f-d1de-4b92-ae69-142e27a4342a.json index c6a00b54aa4..db699032653 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-20457e4f-d1de-4b92-ae69-142e27a4342a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-20457e4f-d1de-4b92-ae69-142e27a4342a.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Access of Stored Browser Credentials", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\", \n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\", \n \"/Users/*/Library/Cookies*\", \n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\", \n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\", \n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\", \n \"Login Data\",\n \"Cookies.binarycookies\", \n \"key4.db\", \n \"key3.db\", \n \"logins.json\", \n \"cookies.sqlite\"\n )\n", - "references": [ - "https://securelist.com/calisto-trojan-for-macos/86543/" - ], - "risk_score": 73, - "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.003", - "name": "Credentials from Web Browsers", - "reference": "https://attack.mitre.org/techniques/T1555/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Access of Stored Browser Credentials", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\", \n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\", \n \"/Users/*/Library/Cookies*\", \n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\", \n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\", \n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\", \n \"Login Data\",\n \"Cookies.binarycookies\", \n \"key4.db\", \n \"key3.db\", \n \"logins.json\", \n \"cookies.sqlite\"\n )\n", + "references": [ + "https://securelist.com/calisto-trojan-for-macos/86543/" + ], + "risk_score": 73, + "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.003", + "name": "Credentials from Web Browsers", + "reference": "https://attack.mitre.org/techniques/T1555/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "20457e4f-d1de-4b92-ae69-142e27a4342a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-20dc4620-3b68-4269-8124-ca5091e00ea8.json b/packages/security_detection_engine/kibana/security_rule/rule-20dc4620-3b68-4269-8124-ca5091e00ea8.json index f9ec1ecc41e..61aced4d89b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-20dc4620-3b68-4269-8124-ca5091e00ea8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-20dc4620-3b68-4269-8124-ca5091e00ea8.json @@ -1,61 +1,65 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies that the maximum number login sessions has been reached for a user.", - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Auditd Max Login Sessions", - "query": "event.module:auditd and event.action:\"opened-too-many-sessions-to\"", - "references": [ - "https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007" - ], - "risk_score": 47, - "rule_id": "20dc4620-3b68-4269-8124-ca5091e00ea8", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies that the maximum number login sessions has been reached for a user.", + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Auditd Max Login Sessions", + "query": "event.module:auditd and event.action:\"opened-too-many-sessions-to\"", + "references": [ + "https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007" + ], + "risk_score": 47, + "rule_id": "20dc4620-3b68-4269-8124-ca5091e00ea8", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "20dc4620-3b68-4269-8124-ca5091e00ea8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f.json b/packages/security_detection_engine/kibana/security_rule/rule-2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f.json index e5072ddfe23..461b9566591 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SSH Authorized Keys File Modification", - "query": "event.category:file and event.type:(change or creation) and file.name:(\"authorized_keys\" or \"authorized_keys2\") and not process.executable: (/Library/Developer/CommandLineTools/usr/bin/git or /usr/local/Cellar/maven/*/libexec/bin/mvn or /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or /usr/bin/vim or /usr/local/Cellar/coreutils/*/bin/gcat or /usr/bin/bsdtar or /usr/bin/nautilus or /usr/bin/scp or /usr/bin/touch or /var/lib/docker/*)", - "risk_score": 47, - "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/", - "subtechnique": [ - { - "id": "T1098.004", - "name": "SSH Authorized Keys", - "reference": "https://attack.mitre.org/techniques/T1098/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SSH Authorized Keys File Modification", + "query": "event.category:file and event.type:(change or creation) and file.name:(\"authorized_keys\" or \"authorized_keys2\") and not process.executable: (/Library/Developer/CommandLineTools/usr/bin/git or /usr/local/Cellar/maven/*/libexec/bin/mvn or /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or /usr/bin/vim or /usr/local/Cellar/coreutils/*/bin/gcat or /usr/bin/bsdtar or /usr/bin/nautilus or /usr/bin/scp or /usr/bin/touch or /var/lib/docker/*)", + "risk_score": 47, + "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.004", + "name": "SSH Authorized Keys", + "reference": "https://attack.mitre.org/techniques/T1098/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-22599847-5d13-48cb-8872-5796fee8692b.json b/packages/security_detection_engine/kibana/security_rule/rule-22599847-5d13-48cb-8872-5796fee8692b.json index 233e3f99a92..a523a641f7f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-22599847-5d13-48cb-8872-5796fee8692b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-22599847-5d13-48cb-8872-5796fee8692b.json @@ -1,77 +1,81 @@ { - "author": [ - "Elastic" - ], - "description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SUNBURST Command and Control Activity", - "note": "The SUNBURST malware attempts to hide within the Orion Improvement Program (OIP) network traffic. As this rule detects post-exploitation network traffic, investigations into this should be prioritized.", - "query": "event.category:network and event.type:protocol and network.protocol:http and process.name:( ConfigurationWizard.exe or NetFlowService.exe or NetflowDatabaseMaintenance.exe or SolarWinds.Administration.exe or SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe or SolarWinds.Collector.Service.exe or SolarwindsDiagnostics.exe) and http.request.body.content:(( (*/swip/Upload.ashx* and (POST* or PUT*)) or (*/swip/SystemDescription* and (GET* or HEAD*)) or (*/swip/Events* and (GET* or HEAD*))) and not *solarwinds.com*)", - "references": [ - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" - ], - "risk_score": 73, - "rule_id": "22599847-5d13-48cb-8872-5796fee8692b", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SUNBURST Command and Control Activity", + "note": "The SUNBURST malware attempts to hide within the Orion Improvement Program (OIP) network traffic. As this rule detects post-exploitation network traffic, investigations into this should be prioritized.", + "query": "event.category:network and event.type:protocol and network.protocol:http and process.name:( ConfigurationWizard.exe or NetFlowService.exe or NetflowDatabaseMaintenance.exe or SolarWinds.Administration.exe or SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe or SolarWinds.Collector.Service.exe or SolarwindsDiagnostics.exe) and http.request.body.content:(( (*/swip/Upload.ashx* and (POST* or PUT*)) or (*/swip/SystemDescription* and (GET* or HEAD*)) or (*/swip/Events* and (GET* or HEAD*))) and not *solarwinds.com*)", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + ], + "risk_score": 73, + "rule_id": "22599847-5d13-48cb-8872-5796fee8692b", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/", - "subtechnique": [ - { - "id": "T1071.001", - "name": "Web Protocols", - "reference": "https://attack.mitre.org/techniques/T1071/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1195", - "name": "Supply Chain Compromise", - "reference": "https://attack.mitre.org/techniques/T1195/", - "subtechnique": [ - { - "id": "T1195.002", - "name": "Compromise Software Supply Chain", - "reference": "https://attack.mitre.org/techniques/T1195/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "22599847-5d13-48cb-8872-5796fee8692b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-227dc608-e558-43d9-b521-150772250bae.json b/packages/security_detection_engine/kibana/security_rule/rule-227dc608-e558-43d9-b521-150772250bae.json index e5482a85c19..d0280639765 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-227dc608-e558-43d9-b521-150772250bae.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-227dc608-e558-43d9-b521-150772250bae.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.", - "false_positives": [ - "Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS S3 Bucket Configuration Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.outcome:success", - "references": [ - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html" - ], - "risk_score": 21, - "rule_id": "227dc608-e558-43d9-b521-150772250bae", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Asset Visibility" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.", + "false_positives": [ + "Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS S3 Bucket Configuration Deletion", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.outcome:success", + "references": [ + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html" + ], + "risk_score": 21, + "rule_id": "227dc608-e558-43d9-b521-150772250bae", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "227dc608-e558-43d9-b521-150772250bae", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-231876e7-4d1f-4d63-a47c-47dd1acdc1cb.json b/packages/security_detection_engine/kibana/security_rule/rule-231876e7-4d1f-4d63-a47c-47dd1acdc1cb.json index 5090d87fc02..aaf3aca5e76 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-231876e7-4d1f-4d63-a47c-47dd1acdc1cb.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-231876e7-4d1f-4d63-a47c-47dd1acdc1cb.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", - "false_positives": [ - "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Shell via Web Server", - "query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\")", - "references": [ - "https://pentestlab.blog/tag/web-shell/" - ], - "risk_score": 47, - "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 9 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", + "false_positives": [ + "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Shell via Web Server", + "query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\")", + "references": [ + "https://pentestlab.blog/tag/web-shell/" + ], + "risk_score": 47, + "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 9 + }, + "id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-2326d1b2-9acf-4dee-bd21-867ea7378b4d.json b/packages/security_detection_engine/kibana/security_rule/rule-2326d1b2-9acf-4dee-bd21-867ea7378b4d.json index 94c49992084..a616df12099 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-2326d1b2-9acf-4dee-bd21-867ea7378b4d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-2326d1b2-9acf-4dee-bd21-867ea7378b4d.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.", - "false_positives": [ - "Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Storage Bucket Permissions Modification", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.setIamPermissions and event.outcome:success", - "references": [ - "https://cloud.google.com/storage/docs/access-control/iam-permissions" - ], - "risk_score": 47, - "rule_id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1222", - "name": "File and Directory Permissions Modification", - "reference": "https://attack.mitre.org/techniques/T1222/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.", + "false_positives": [ + "Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Storage Bucket Permissions Modification", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.setIamPermissions and event.outcome:success", + "references": [ + "https://cloud.google.com/storage/docs/access-control/iam-permissions" + ], + "risk_score": 47, + "rule_id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-25224a80-5a4a-4b8a-991e-6ab390465c4f.json b/packages/security_detection_engine/kibana/security_rule/rule-25224a80-5a4a-4b8a-991e-6ab390465c4f.json index 4530dea8d56..15312a9fa7f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-25224a80-5a4a-4b8a-991e-6ab390465c4f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-25224a80-5a4a-4b8a-991e-6ab390465c4f.json @@ -1,71 +1,75 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Lateral Movement via Startup Folder", - "query": "file where event.type in (\"creation\", \"change\") and\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n file.path : \"C:\\\\*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\"\n", - "references": [ - "https://www.mdsec.co.uk/2017/06/rdpinception/" - ], - "risk_score": 73, - "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Lateral Movement via Startup Folder", + "query": "file where event.type in (\"creation\", \"change\") and\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n file.path : \"C:\\\\*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\"\n", + "references": [ + "https://www.mdsec.co.uk/2017/06/rdpinception/" + ], + "risk_score": 73, + "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-2636aa6c-88b5-4337-9c31-8d0192a8ef45.json b/packages/security_detection_engine/kibana/security_rule/rule-2636aa6c-88b5-4337-9c31-8d0192a8ef45.json index 4bc24298f81..b4a6ee173e6 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-2636aa6c-88b5-4337-9c31-8d0192a8ef45.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-2636aa6c-88b5-4337-9c31-8d0192a8ef45.json @@ -1,68 +1,72 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.", - "false_positives": [ - "Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Blob Container Access Level Modification", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\" and event.outcome:(Success or success)", - "references": [ - "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent" - ], - "risk_score": 21, - "rule_id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Asset Visibility" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.", + "false_positives": [ + "Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Blob Container Access Level Modification", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\" and event.outcome:(Success or success)", + "references": [ + "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent" + ], + "risk_score": 21, + "rule_id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1526", + "name": "Cloud Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1526/" + } + ] }, - "technique": [ - { - "id": "T1526", - "name": "Cloud Service Discovery", - "reference": "https://attack.mitre.org/techniques/T1526/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-265db8f5-fc73-4d0d-b434-6483b56372e2.json b/packages/security_detection_engine/kibana/security_rule/rule-265db8f5-fc73-4d0d-b434-6483b56372e2.json index d3f63d9496a..0bf008693b9 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-265db8f5-fc73-4d0d-b434-6483b56372e2.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-265db8f5-fc73-4d0d-b434-6483b56372e2.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via Update Orchestrator Service Hijack", - "query": "process where event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\n \"C:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"C:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"C:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"C:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerMgr.exe\"\n )\n", - "references": [ - "https://github.com/irsl/CVE-2020-1313" - ], - "risk_score": 73, - "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Update Orchestrator Service Hijack", + "query": "process where event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\n \"C:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"C:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"C:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"C:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerMgr.exe\"\n )\n", + "references": [ + "https://github.com/irsl/CVE-2020-1313" + ], + "risk_score": 73, + "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "265db8f5-fc73-4d0d-b434-6483b56372e2", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-26f68dba-ce29-497b-8e13-b4fde1db5a2d.json b/packages/security_detection_engine/kibana/security_rule/rule-26f68dba-ce29-497b-8e13-b4fde1db5a2d.json index 484b4c65e9f..ffc740d4e23 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-26f68dba-ce29-497b-8e13-b4fde1db5a2d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-26f68dba-ce29-497b-8e13-b4fde1db5a2d.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", - "false_positives": [ - "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempts to Brute Force a Microsoft 365 User Account", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure", - "risk_score": 73, - "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", - "severity": "high", - "tags": [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "threshold": { - "field": [ - "user.id" + "attributes": { + "author": [ + "Elastic" ], - "value": 10 + "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempts to Brute Force a Microsoft 365 User Account", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure", + "risk_score": 73, + "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "user.id" + ], + "value": 10 + }, + "type": "threshold", + "version": 2 }, - "type": "threshold", - "version": 2 + "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-272a6484-2663-46db-a532-ef734bf9a796.json b/packages/security_detection_engine/kibana/security_rule/rule-272a6484-2663-46db-a532-ef734bf9a796.json index 09ad52b9e1c..c34d98d74fb 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-272a6484-2663-46db-a532-ef734bf9a796.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-272a6484-2663-46db-a532-ef734bf9a796.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.", - "false_positives": [ - "A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Transport Rule Modification", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", - "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", - "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" - ], - "risk_score": 47, - "rule_id": "272a6484-2663-46db-a532-ef734bf9a796", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1537", - "name": "Transfer Data to Cloud Account", - "reference": "https://attack.mitre.org/techniques/T1537/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.", + "false_positives": [ + "A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Transport Rule Modification", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + ], + "risk_score": 47, + "rule_id": "272a6484-2663-46db-a532-ef734bf9a796", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "272a6484-2663-46db-a532-ef734bf9a796", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-2772264c-6fb9-4d9d-9014-b416eed21254.json b/packages/security_detection_engine/kibana/security_rule/rule-2772264c-6fb9-4d9d-9014-b416eed21254.json index 397e21ec715..fc2f9cc62eb 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-2772264c-6fb9-4d9d-9014-b416eed21254.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-2772264c-6fb9-4d9d-9014-b416eed21254.json @@ -1,51 +1,55 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.", - "false_positives": [ - "PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Incoming Execution via PowerShell Remoting", - "query": "sequence by host.id with maxspan = 30s\n [network where network.direction == \"incoming\" and destination.port in (5985, 5986) and\n network.protocol == \"http\" and source.address != \"127.0.0.1\" and source.address != \"::1\"\n ]\n [process where event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.name : \"conhost.exe\"]\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1" - ], - "risk_score": 47, - "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.", + "false_positives": [ + "PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming Execution via PowerShell Remoting", + "query": "sequence by host.id with maxspan = 30s\n [network where network.direction == \"incoming\" and destination.port in (5985, 5986) and\n network.protocol == \"http\" and source.address != \"127.0.0.1\" and source.address != \"::1\"\n ]\n [process where event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.name : \"conhost.exe\"]\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1" + ], + "risk_score": 47, + "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "2772264c-6fb9-4d9d-9014-b416eed21254", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-2783d84f-5091-4d7d-9319-9fceda8fa71b.json b/packages/security_detection_engine/kibana/security_rule/rule-2783d84f-5091-4d7d-9319-9fceda8fa71b.json index 930d760c43c..2be890272e2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-2783d84f-5091-4d7d-9319-9fceda8fa71b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-2783d84f-5091-4d7d-9319-9fceda8fa71b.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may modify a firewall rule in order to weaken their target's security controls.", - "false_positives": [ - "Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Firewall Rule Modification", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.patch", - "references": [ - "https://cloud.google.com/vpc/docs/firewalls" - ], - "risk_score": 47, - "rule_id": "2783d84f-5091-4d7d-9319-9fceda8fa71b", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may modify a firewall rule in order to weaken their target's security controls.", + "false_positives": [ + "Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Firewall Rule Modification", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.patch", + "references": [ + "https://cloud.google.com/vpc/docs/firewalls" + ], + "risk_score": 47, + "rule_id": "2783d84f-5091-4d7d-9319-9fceda8fa71b", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "2783d84f-5091-4d7d-9319-9fceda8fa71b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-27f7c15a-91f8-4c3d-8b9e-1f99cc030a51.json b/packages/security_detection_engine/kibana/security_rule/rule-27f7c15a-91f8-4c3d-8b9e-1f99cc030a51.json index 6fbca7a147d..638e73822e7 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-27f7c15a-91f8-4c3d-8b9e-1f99cc030a51.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-27f7c15a-91f8-4c3d-8b9e-1f99cc030a51.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.", - "false_positives": [ - "Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Teams External Access Enabled", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and event.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success", - "references": [ - "https://docs.microsoft.com/en-us/microsoftteams/manage-external-access" - ], - "risk_score": 47, - "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.", + "false_positives": [ + "Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams External Access Enabled", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and event.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success", + "references": [ + "https://docs.microsoft.com/en-us/microsoftteams/manage-external-access" + ], + "risk_score": 47, + "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-2856446a-34e6-435b-9fb5-f8f040bfa7ed.json b/packages/security_detection_engine/kibana/security_rule/rule-2856446a-34e6-435b-9fb5-f8f040bfa7ed.json index dcda77b6fcb..6cb5d1dc711 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-2856446a-34e6-435b-9fb5-f8f040bfa7ed.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-2856446a-34e6-435b-9fb5-f8f040bfa7ed.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the SYSTEM account using an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Net command via SYSTEM account", - "query": "event.category:process and event.type:(start or process_started) and (process.name:(whoami.exe or net.exe) or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM", - "risk_score": 21, - "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1087", - "name": "Account Discovery", - "reference": "https://attack.mitre.org/techniques/T1087/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the SYSTEM account using an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Net command via SYSTEM account", + "query": "event.category:process and event.type:(start or process_started) and (process.name:(whoami.exe or net.exe) or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM", + "risk_score": 21, + "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-2863ffeb-bf77-44dd-b7a5-93ef94b72036.json b/packages/security_detection_engine/kibana/security_rule/rule-2863ffeb-bf77-44dd-b7a5-93ef94b72036.json index 2ce1ed7e739..11fe82894be 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-2863ffeb-bf77-44dd-b7a5-93ef94b72036.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-2863ffeb-bf77-44dd-b7a5-93ef94b72036.json @@ -1,24 +1,28 @@ { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Exploit - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)", - "risk_score": 47, - "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", - "severity": "medium", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Exploit - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)", + "risk_score": 47, + "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 5 + }, + "id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-28896382-7d4f-4d50-9b72-67091901fd26.json b/packages/security_detection_engine/kibana/security_rule/rule-28896382-7d4f-4d50-9b72-67091901fd26.json index 9705f4f3445..a409262a5c9 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-28896382-7d4f-4d50-9b72-67091901fd26.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-28896382-7d4f-4d50-9b72-67091901fd26.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious Conhost child process which may be an indication of code injection activity.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious Process from Conhost", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:conhost.exe and not process.executable:(\"C:\\Windows\\splwow64.exe\" or \"C:\\Windows\\System32\\WerFault.exe\" or \"C:\\\\Windows\\System32\\conhost.exe\")", - "references": [ - "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx" - ], - "risk_score": 73, - "rule_id": "28896382-7d4f-4d50-9b72-67091901fd26", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious Conhost child process which may be an indication of code injection activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Process from Conhost", + "query": "event.category:process and event.type:(start or process_started) and process.parent.name:conhost.exe and not process.executable:(\"C:\\Windows\\splwow64.exe\" or \"C:\\Windows\\System32\\WerFault.exe\" or \"C:\\\\Windows\\System32\\conhost.exe\")", + "references": [ + "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx" + ], + "risk_score": 73, + "rule_id": "28896382-7d4f-4d50-9b72-67091901fd26", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "28896382-7d4f-4d50-9b72-67091901fd26", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-290aca65-e94d-403b-ba0f-62f320e63f51.json b/packages/security_detection_engine/kibana/security_rule/rule-290aca65-e94d-403b-ba0f-62f320e63f51.json index d7cfaa4b2bc..bdab2387fd3 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-290aca65-e94d-403b-ba0f-62f320e63f51.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-290aca65-e94d-403b-ba0f-62f320e63f51.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "UAC Bypass Attempt via Windows Directory Masquerading", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", - "references": [ - "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" - ], - "risk_score": 73, - "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Access Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt via Windows Directory Masquerading", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", + "references": [ + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" + ], + "risk_score": 73, + "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Access Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "290aca65-e94d-403b-ba0f-62f320e63f51", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-2bf78aa2-9c56-48de-b139-f169bf99cf86.json b/packages/security_detection_engine/kibana/security_rule/rule-2bf78aa2-9c56-48de-b139-f169bf99cf86.json index 2cd9d09d11a..01c0e62a996 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-2bf78aa2-9c56-48de-b139-f169bf99cf86.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-2bf78aa2-9c56-48de-b139-f169bf99cf86.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Adobe Hijack Persistence", - "query": "event.category:file and event.type:creation and file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and not process.name:msiexec.exe", - "risk_score": 21, - "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.010", - "name": "Services File Permissions Weakness", - "reference": "https://attack.mitre.org/techniques/T1574/010/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Adobe Hijack Persistence", + "query": "event.category:file and event.type:creation and file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and not process.name:msiexec.exe", + "risk_score": 21, + "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.010", + "name": "Services File Permissions Weakness", + "reference": "https://attack.mitre.org/techniques/T1574/010/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-2d8043ed-5bda-4caf-801c-c1feb7410504.json b/packages/security_detection_engine/kibana/security_rule/rule-2d8043ed-5bda-4caf-801c-c1feb7410504.json index dc9a53c3d7e..8b5d6818f6c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-2d8043ed-5bda-4caf-801c-c1feb7410504.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-2d8043ed-5bda-4caf-801c-c1feb7410504.json @@ -1,48 +1,52 @@ { - "author": [ - "Elastic" - ], - "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.", - "false_positives": [ - "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Enumeration of Kernel Modules", - "query": "event.category:process and event.type:(start or process_started) and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))", - "risk_score": 47, - "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.", + "false_positives": [ + "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Enumeration of Kernel Modules", + "query": "event.category:process and event.type:(start or process_started) and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))", + "risk_score": 47, + "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "2d8043ed-5bda-4caf-801c-c1feb7410504", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json b/packages/security_detection_engine/kibana/security_rule/rule-2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json index 167d5569aea..d4691d38440 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Renamed AutoIt Scripts Interpreter", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", - "risk_score": 47, - "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Renamed AutoIt Scripts Interpreter", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", + "risk_score": 47, + "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-2e580225-2a58-48ef-938b-572933be06fe.json b/packages/security_detection_engine/kibana/security_rule/rule-2e580225-2a58-48ef-938b-572933be06fe.json index 2c2b4460860..bc024c57fb6 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-2e580225-2a58-48ef-938b-572933be06fe.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-2e580225-2a58-48ef-938b-572933be06fe.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.", - "false_positives": [ - "This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected." - ], - "index": [ - "packetbeat-*" - ], - "language": "lucene", - "license": "Elastic License v2", - "name": "Halfbaked Command and Control Beacon", - "note": "This activity has been observed in FIN7 campaigns.", - "query": "event.category:(network OR network_traffic) AND network.protocol:http AND network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443)", - "references": [ - "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", - "https://attack.mitre.org/software/S0151/" - ], - "risk_score": 73, - "rule_id": "2e580225-2a58-48ef-938b-572933be06fe", - "severity": "high", - "tags": [ - "Elastic", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.", + "false_positives": [ + "This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected." + ], + "index": [ + "packetbeat-*" + ], + "language": "lucene", + "license": "Elastic License v2", + "name": "Halfbaked Command and Control Beacon", + "note": "This activity has been observed in FIN7 campaigns.", + "query": "event.category:(network OR network_traffic) AND network.protocol:http AND network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443)", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://attack.mitre.org/software/S0151/" + ], + "risk_score": 73, + "rule_id": "2e580225-2a58-48ef-938b-572933be06fe", + "severity": "high", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" }, - { - "id": "T1568", - "name": "Dynamic Resolution", - "reference": "https://attack.mitre.org/techniques/T1568/", - "subtechnique": [ - { - "id": "T1568.002", - "name": "Domain Generation Algorithms", - "reference": "https://attack.mitre.org/techniques/T1568/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + }, + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "2e580225-2a58-48ef-938b-572933be06fe", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json b/packages/security_detection_engine/kibana/security_rule/rule-2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json index 54e9080d6ce..ba48fb7df1f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Creation of a Hidden Local User Account", - "query": "registry where registry.path : \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n", - "references": [ - "https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", - "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign" - ], - "risk_score": 73, - "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation of a Hidden Local User Account", + "query": "registry where registry.path : \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n", + "references": [ + "https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", + "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign" + ], + "risk_score": 73, + "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-2f8a1226-5720-437d-9c20-e0029deb6194.json b/packages/security_detection_engine/kibana/security_rule/rule-2f8a1226-5720-437d-9c20-e0029deb6194.json index dbd16611674..c8b8bd494a7 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-2f8a1226-5720-437d-9c20-e0029deb6194.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-2f8a1226-5720-437d-9c20-e0029deb6194.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Disable Syslog Service", - "query": "event.category:process and event.type:(start or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")", - "risk_score": 47, - "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Disable Syslog Service", + "query": "event.category:process and event.type:(start or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")", + "risk_score": 47, + "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "2f8a1226-5720-437d-9c20-e0029deb6194", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-2fba96c0-ade5-4bce-b92f-a5df2509da3f.json b/packages/security_detection_engine/kibana/security_rule/rule-2fba96c0-ade5-4bce-b92f-a5df2509da3f.json index 05d7439f6f4..1fd647be807 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-2fba96c0-ade5-4bce-b92f-a5df2509da3f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-2fba96c0-ade5-4bce-b92f-a5df2509da3f.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Startup Folder Persistence via Unsigned Process", - "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\") and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\", \n \"C:\\\\ProgramData\\\\*.exe\", \n \"C:\\\\Windows\\\\Temp\\\\*.exe\", \n \"C:\\\\Windows\\\\Tasks\\\\*.exe\", \n \"C:\\\\Intel\\\\*.exe\", \n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", - "risk_score": 41, - "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Startup Folder Persistence via Unsigned Process", + "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\") and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\", \n \"C:\\\\ProgramData\\\\*.exe\", \n \"C:\\\\Windows\\\\Temp\\\\*.exe\", \n \"C:\\\\Windows\\\\Tasks\\\\*.exe\", \n \"C:\\\\Intel\\\\*.exe\", \n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", + "risk_score": 41, + "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-2ffa1f1e-b6db-47fa-994b-1512743847eb.json b/packages/security_detection_engine/kibana/security_rule/rule-2ffa1f1e-b6db-47fa-994b-1512743847eb.json index fbf6277dd31..f0bf457f963 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-2ffa1f1e-b6db-47fa-994b-1512743847eb.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-2ffa1f1e-b6db-47fa-994b-1512743847eb.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Windows Defender Disabled via Registry Modification", - "note": "Detections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized", - "query": "registry where event.type in (\"creation\", \"change\") and\n ((registry.path:\"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings:\"1\") or\n (registry.path:\"HKLM\\\\System\\\\ControlSet*\\\\Services\\\\WinDefend\\\\Start\" and\n registry.data.strings in (\"3\", \"4\")))\n", - "references": [ - "https://thedfirreport.com/2020/12/13/defender-control/" - ], - "risk_score": 21, - "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.006", - "name": "Indicator Blocking", - "reference": "https://attack.mitre.org/techniques/T1562/006/" - }, - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Defender Disabled via Registry Modification", + "note": "Detections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized", + "query": "registry where event.type in (\"creation\", \"change\") and\n ((registry.path:\"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings:\"1\") or\n (registry.path:\"HKLM\\\\System\\\\ControlSet*\\\\Services\\\\WinDefend\\\\Start\" and\n registry.data.strings in (\"3\", \"4\")))\n", + "references": [ + "https://thedfirreport.com/2020/12/13/defender-control/" + ], + "risk_score": 21, + "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.006", + "name": "Indicator Blocking", + "reference": "https://attack.mitre.org/techniques/T1562/006/" + }, + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-30562697-9859-4ae0-a8c5-dab45d664170.json b/packages/security_detection_engine/kibana/security_rule/rule-30562697-9859-4ae0-a8c5-dab45d664170.json index 8ab07b9887b..caa059f8344 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-30562697-9859-4ae0-a8c5-dab45d664170.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-30562697-9859-4ae0-a8c5-dab45d664170.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.", - "false_positives": [ - "Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Firewall Rule Creation", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.insert", - "references": [ - "https://cloud.google.com/vpc/docs/firewalls" - ], - "risk_score": 21, - "rule_id": "30562697-9859-4ae0-a8c5-dab45d664170", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.", + "false_positives": [ + "Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Firewall Rule Creation", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.insert", + "references": [ + "https://cloud.google.com/vpc/docs/firewalls" + ], + "risk_score": 21, + "rule_id": "30562697-9859-4ae0-a8c5-dab45d664170", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "30562697-9859-4ae0-a8c5-dab45d664170", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-31295df3-277b-4c56-a1fb-84e31b4222a9.json b/packages/security_detection_engine/kibana/security_rule/rule-31295df3-277b-4c56-a1fb-84e31b4222a9.json index 328c383e4ee..a22f66bbef0 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-31295df3-277b-4c56-a1fb-84e31b4222a9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-31295df3-277b-4c56-a1fb-84e31b4222a9.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.", - "false_positives": [ - "If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy." - ], - "index": [ - "packetbeat-*" - ], - "language": "lucene", - "license": "Elastic License v2", - "name": "Inbound Connection to an Unsecure Elasticsearch Node", - "note": "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.", - "query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization", - "references": [ - "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html", - "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers" - ], - "risk_score": 47, - "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9", - "severity": "medium", - "tags": [ - "Elastic", - "Network", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.", + "false_positives": [ + "If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy." + ], + "index": [ + "packetbeat-*" + ], + "language": "lucene", + "license": "Elastic License v2", + "name": "Inbound Connection to an Unsecure Elasticsearch Node", + "note": "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.", + "query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization", + "references": [ + "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html", + "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers" + ], + "risk_score": 47, + "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9", + "severity": "medium", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "31295df3-277b-4c56-a1fb-84e31b4222a9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json b/packages/security_detection_engine/kibana/security_rule/rule-31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json index 45137265907..60c4ff4f9aa 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Bypass UAC via Event Viewer", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:eventvwr.exe and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")", - "risk_score": 21, - "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Access Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Bypass UAC via Event Viewer", + "query": "event.category:process and event.type:(start or process_started) and process.parent.name:eventvwr.exe and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")", + "risk_score": 21, + "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Access Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-3202e172-01b1-4738-a932-d024c514ba72.json b/packages/security_detection_engine/kibana/security_rule/rule-3202e172-01b1-4738-a932-d024c514ba72.json index bd0b2657844..91553ac4886 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-3202e172-01b1-4738-a932-d024c514ba72.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-3202e172-01b1-4738-a932-d024c514ba72.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.", - "false_positives": [ - "Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Pub/Sub Topic Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success", - "references": [ - "https://cloud.google.com/pubsub/docs/overview" - ], - "risk_score": 21, - "rule_id": "3202e172-01b1-4738-a932-d024c514ba72", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.", + "false_positives": [ + "Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Pub/Sub Topic Deletion", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success", + "references": [ + "https://cloud.google.com/pubsub/docs/overview" + ], + "risk_score": 21, + "rule_id": "3202e172-01b1-4738-a932-d024c514ba72", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "3202e172-01b1-4738-a932-d024c514ba72", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-323cb487-279d-4218-bcbd-a568efe930c6.json b/packages/security_detection_engine/kibana/security_rule/rule-323cb487-279d-4218-bcbd-a568efe930c6.json index fec7e52d875..cd7c999e3ec 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-323cb487-279d-4218-bcbd-a568efe930c6.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-323cb487-279d-4218-bcbd-a568efe930c6.json @@ -1,60 +1,64 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.", - "false_positives": [ - "Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Network Watcher Deletion", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE\" and event.outcome:(Success or success)", - "references": [ - "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview" - ], - "risk_score": 47, - "rule_id": "323cb487-279d-4218-bcbd-a568efe930c6", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Network Security" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.", + "false_positives": [ + "Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Network Watcher Deletion", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE\" and event.outcome:(Success or success)", + "references": [ + "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview" + ], + "risk_score": 47, + "rule_id": "323cb487-279d-4218-bcbd-a568efe930c6", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "323cb487-279d-4218-bcbd-a568efe930c6", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-32923416-763a-4531-bb35-f33b9232ecdb.json b/packages/security_detection_engine/kibana/security_rule/rule-32923416-763a-4531-bb35-f33b9232ecdb.json index 00eda660f29..553242a470b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-32923416-763a-4531-bb35-f33b9232ecdb.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-32923416-763a-4531-bb35-f33b9232ecdb.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "RPC (Remote Procedure Call) to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 73, - "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "RPC (Remote Procedure Call) to the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", + "risk_score": 73, + "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "32923416-763a-4531-bb35-f33b9232ecdb", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json b/packages/security_detection_engine/kibana/security_rule/rule-32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json index db370834fc1..85ea16a5d12 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections whitelisting those folders.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Program Files Directory Masquerading", - "query": "process where event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n", - "risk_score": 47, - "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections whitelisting those folders.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Program Files Directory Masquerading", + "query": "process where event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n", + "risk_score": 47, + "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-32f4675e-6c49-4ace-80f9-97c9259dca2e.json b/packages/security_detection_engine/kibana/security_rule/rule-32f4675e-6c49-4ace-80f9-97c9259dca2e.json index e3d6c30ffb4..c80081f6be2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-32f4675e-6c49-4ace-80f9-97c9259dca2e.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-32f4675e-6c49-4ace-80f9-97c9259dca2e.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious MS Outlook Child Process", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)", - "risk_score": 21, - "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious MS Outlook Child Process", + "query": "event.category:process and event.type:(start or process_started) and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)", + "risk_score": 21, + "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-333de828-8190-4cf5-8d7c-7575846f6fe0.json b/packages/security_detection_engine/kibana/security_rule/rule-333de828-8190-4cf5-8d7c-7575846f6fe0.json index 6420d40a8eb..9bc98a385c1 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-333de828-8190-4cf5-8d7c-7575846f6fe0.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-333de828-8190-4cf5-8d7c-7575846f6fe0.json @@ -1,63 +1,67 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).", - "false_positives": [ - "Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM User Addition to Group", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success", - "references": [ - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html" - ], - "risk_score": 21, - "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).", + "false_positives": [ + "Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM User Addition to Group", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html" + ], + "risk_score": 21, + "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [] }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "333de828-8190-4cf5-8d7c-7575846f6fe0", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-33f306e8-417c-411b-965c-c2812d6d3f4d.json b/packages/security_detection_engine/kibana/security_rule/rule-33f306e8-417c-411b-965c-c2812d6d3f4d.json index a410051988c..c8cee135e00 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-33f306e8-417c-411b-965c-c2812d6d3f4d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-33f306e8-417c-411b-965c-c2812d6d3f4d.json @@ -1,67 +1,71 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote File Download via PowerShell", - "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where process.name : \"powershell.exe\" and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and \n not user.domain : \"NT AUTHORITY\"]\n [file where process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and \n not file.name : \"__PSScriptPolicy*.ps1\"]\n", - "risk_score": 47, - "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via PowerShell", + "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where process.name : \"powershell.exe\" and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and \n not user.domain : \"NT AUTHORITY\"]\n [file where process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and \n not file.name : \"__PSScriptPolicy*.ps1\"]\n", + "risk_score": 47, + "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 2 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "33f306e8-417c-411b-965c-c2812d6d3f4d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-34fde489-94b0-4500-a76f-b8a157cf9269.json b/packages/security_detection_engine/kibana/security_rule/rule-34fde489-94b0-4500-a76f-b8a157cf9269.json index db649d3dcd7..611d8767940 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-34fde489-94b0-4500-a76f-b8a157cf9269.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-34fde489-94b0-4500-a76f-b8a157cf9269.json @@ -1,73 +1,77 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embed ed systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.", - "false_positives": [ - "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Telnet Port Activity", - "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23", - "risk_score": 47, - "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embed ed systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.", + "false_positives": [ + "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Telnet Port Activity", + "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23", + "risk_score": 47, + "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "34fde489-94b0-4500-a76f-b8a157cf9269", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-35330ba2-c859-4c98-8b7f-c19159ea0e58.json b/packages/security_detection_engine/kibana/security_rule/rule-35330ba2-c859-4c98-8b7f-c19159ea0e58.json index 906b40720d1..23f9d9fd39a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-35330ba2-c859-4c98-8b7f-c19159ea0e58.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-35330ba2-c859-4c98-8b7f-c19159ea0e58.json @@ -1,66 +1,70 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Execution via Electron Child Process Node.js Module", - "query": "event.category:process and event.type:(start or process_started) and process.args:(\"-e\" and const*require*child_process*)", - "references": [ - "https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html", - "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/", - "https://nodejs.org/api/child_process.html" - ], - "risk_score": 47, - "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Defense Evasion", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Execution via Electron Child Process Node.js Module", + "query": "event.category:process and event.type:(start or process_started) and process.args:(\"-e\" and const*require*child_process*)", + "references": [ + "https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html", + "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/", + "https://nodejs.org/api/child_process.html" + ], + "risk_score": 47, + "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "35330ba2-c859-4c98-8b7f-c19159ea0e58", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json b/packages/security_detection_engine/kibana/security_rule/rule-3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json index 72e8d239252..dacffafce4f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Port Forwarding Rule Addition", - "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n", - "references": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html" - ], - "risk_score": 47, - "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Port Forwarding Rule Addition", + "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html" + ], + "risk_score": 47, + "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-35df0dd8-092d-4a83-88c1-5151a804f31b.json b/packages/security_detection_engine/kibana/security_rule/rule-35df0dd8-092d-4a83-88c1-5151a804f31b.json index 7d9b9b447b5..b6feb01d258 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-35df0dd8-092d-4a83-88c1-5151a804f31b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-35df0dd8-092d-4a83-88c1-5151a804f31b.json @@ -1,57 +1,61 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Parent-Child Relationship", - "query": "process where event.type in (\"start\", \"process_started\") and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", - "references": [ - "https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes TH.map.png", - "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/" - ], - "risk_score": 47, - "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/", - "subtechnique": [ - { - "id": "T1055.012", - "name": "Process Hollowing", - "reference": "https://attack.mitre.org/techniques/T1055/012/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Parent-Child Relationship", + "query": "process where event.type in (\"start\", \"process_started\") and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", + "references": [ + "https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes TH.map.png", + "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/" + ], + "risk_score": 47, + "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.012", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1055/012/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "35df0dd8-092d-4a83-88c1-5151a804f31b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-36a8e048-d888-4f61-a8b9-0f9e2e40f317.json b/packages/security_detection_engine/kibana/security_rule/rule-36a8e048-d888-4f61-a8b9-0f9e2e40f317.json index 6d9b51d684a..27741ac6c33 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-36a8e048-d888-4f61-a8b9-0f9e2e40f317.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-36a8e048-d888-4f61-a8b9-0f9e2e40f317.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious ImagePath Service Creation", - "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\" and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", - "risk_score": 73, - "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious ImagePath Service Creation", + "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\" and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", + "risk_score": 73, + "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-37994bca-0611-4500-ab67-5588afe73b77.json b/packages/security_detection_engine/kibana/security_rule/rule-37994bca-0611-4500-ab67-5588afe73b77.json index 90c4c5807e6..78169fd9a43 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-37994bca-0611-4500-ab67-5588afe73b77.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-37994bca-0611-4500-ab67-5588afe73b77.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic", - "Willem D'Haese" - ], - "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Active Directory High Risk Sign-in", - "note": "The Azure Fleet Integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.signinlogs and azure.signinlogs.properties.risk_level_during_signin:high and event.outcome:(success or Success)", - "references": [ - "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk", - "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", - "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk" - ], - "risk_score": 73, - "rule_id": "37994bca-0611-4500-ab67-5588afe73b77", - "severity": "high", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic", + "Willem D'Haese" + ], + "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Active Directory High Risk Sign-in", + "note": "The Azure Fleet Integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.signinlogs and azure.signinlogs.properties.risk_level_during_signin:high and event.outcome:(success or Success)", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk", + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk" + ], + "risk_score": 73, + "rule_id": "37994bca-0611-4500-ab67-5588afe73b77", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "37994bca-0611-4500-ab67-5588afe73b77", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-37b0816d-af40-40b4-885f-bb162b3c88a9.json b/packages/security_detection_engine/kibana/security_rule/rule-37b0816d-af40-40b4-885f-bb162b3c88a9.json index 605937072f6..6d08c11e126 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-37b0816d-af40-40b4-885f-bb162b3c88a9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-37b0816d-af40-40b4-885f-bb162b3c88a9.json @@ -1,54 +1,58 @@ { - "anomaly_threshold": 25, - "author": [ - "Elastic" - ], - "description": "Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for stealth.", - "false_positives": [ - "A Linux host running unusual device drivers or other kinds of kernel modules could trigger this detection. Troubleshooting or debugging activity using unusual arguments could also trigger this detection." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "linux_rare_kernel_module_arguments", - "name": "Anomalous Kernel Module Activity", - "references": [ - "references" - ], - "risk_score": 21, - "rule_id": "37b0816d-af40-40b4-885f-bb162b3c88a9", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.006", - "name": "Kernel Modules and Extensions", - "reference": "https://attack.mitre.org/techniques/T1547/006/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 3 + "attributes": { + "anomaly_threshold": 25, + "author": [ + "Elastic" + ], + "description": "Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for stealth.", + "false_positives": [ + "A Linux host running unusual device drivers or other kinds of kernel modules could trigger this detection. Troubleshooting or debugging activity using unusual arguments could also trigger this detection." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "linux_rare_kernel_module_arguments", + "name": "Anomalous Kernel Module Activity", + "references": [ + "references" + ], + "risk_score": 21, + "rule_id": "37b0816d-af40-40b4-885f-bb162b3c88a9", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "37b0816d-af40-40b4-885f-bb162b3c88a9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-37b211e8-4e2f-440f-86d8-06cc8f158cfa.json b/packages/security_detection_engine/kibana/security_rule/rule-37b211e8-4e2f-440f-86d8-06cc8f158cfa.json index 2778408368f..87805fe95fe 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-37b211e8-4e2f-440f-86d8-06cc8f158cfa.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-37b211e8-4e2f-440f-86d8-06cc8f158cfa.json @@ -1,61 +1,65 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Execution via System Manager", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success", - "references": [ - "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html" - ], - "risk_score": 21, - "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.002", - "name": "Spearphishing Link", - "reference": "https://attack.mitre.org/techniques/T1566/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Execution via System Manager", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success", + "references": [ + "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html" + ], + "risk_score": 21, + "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-37f638ea-909d-4f94-9248-edd21e4a9906.json b/packages/security_detection_engine/kibana/security_rule/rule-37f638ea-909d-4f94-9248-edd21e4a9906.json index 7ff1dfb3dab..4c552f4284d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-37f638ea-909d-4f94-9248-edd21e4a9906.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-37f638ea-909d-4f94-9248-edd21e4a9906.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.", - "false_positives": [ - "Trusted Finder Sync Plugins" - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Finder Sync Plugin Registered and Enabled", - "query": "sequence by host.id, user.id with maxspan = 5s\n [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and process.args : \"-a\"]\n [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n not process.args :\n (\n \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n \"com.google.drivefs.findersync\",\n \"com.boxcryptor.osx.Rednif\",\n \"com.adobe.accmac.ACCFinderSync\",\n \"com.microsoft.OneDrive.FinderSync\",\n \"com.insynchq.Insync.Insync-Finder-Integration\",\n \"com.box.desktop.findersyncext\"\n )\n ]\n", - "references": [ - "https://github.com/specterops/presentations/raw/master/Leo Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf" - ], - "risk_score": 47, - "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/" - } - ] - } - ], - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.", + "false_positives": [ + "Trusted Finder Sync Plugins" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Finder Sync Plugin Registered and Enabled", + "query": "sequence by host.id, user.id with maxspan = 5s\n [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and process.args : \"-a\"]\n [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n not process.args :\n (\n \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n \"com.google.drivefs.findersync\",\n \"com.boxcryptor.osx.Rednif\",\n \"com.adobe.accmac.ACCFinderSync\",\n \"com.microsoft.OneDrive.FinderSync\",\n \"com.insynchq.Insync.Insync-Finder-Integration\",\n \"com.box.desktop.findersyncext\"\n )\n ]\n", + "references": [ + "https://github.com/specterops/presentations/raw/master/Leo Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf" + ], + "risk_score": 47, + "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "37f638ea-909d-4f94-9248-edd21e4a9906", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-3805c3dc-f82c-4f8d-891e-63c24d3102b0.json b/packages/security_detection_engine/kibana/security_rule/rule-3805c3dc-f82c-4f8d-891e-63c24d3102b0.json index 614add678f8..c07105e65ae 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-3805c3dc-f82c-4f8d-891e-63c24d3102b0.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-3805c3dc-f82c-4f8d-891e-63c24d3102b0.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.", - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempted Bypass of Okta MFA", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 73, - "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", - "severity": "high", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1111", - "name": "Two-Factor Authentication Interception", - "reference": "https://attack.mitre.org/techniques/T1111/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempted Bypass of Okta MFA", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 73, + "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", + "severity": "high", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1111", + "name": "Two-Factor Authentication Interception", + "reference": "https://attack.mitre.org/techniques/T1111/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-3838e0e3-1850-4850-a411-2e8c5ba40ba8.json b/packages/security_detection_engine/kibana/security_rule/rule-3838e0e3-1850-4850-a411-2e8c5ba40ba8.json index 66b0ea5349b..bac615780eb 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-3838e0e3-1850-4850-a411-2e8c5ba40ba8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-3838e0e3-1850-4850-a411-2e8c5ba40ba8.json @@ -1,45 +1,49 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Network Connection via Certutil", - "query": "sequence by process.entity_id\n [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", - "risk_score": 21, - "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "type": "eql", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Certutil", + "query": "sequence by process.entity_id\n [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", + "risk_score": 21, + "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-38948d29-3d5d-42e3-8aec-be832aaaf8eb.json b/packages/security_detection_engine/kibana/security_rule/rule-38948d29-3d5d-42e3-8aec-be832aaaf8eb.json index e10fb553160..f8f03d0db56 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-38948d29-3d5d-42e3-8aec-be832aaaf8eb.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-38948d29-3d5d-42e3-8aec-be832aaaf8eb.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Prompt for Credentials with OSASCRIPT", - "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n", - "references": [ - "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", - "https://ss64.com/osx/osascript.html" - ], - "risk_score": 73, - "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1056", - "name": "Input Capture", - "reference": "https://attack.mitre.org/techniques/T1056/", - "subtechnique": [ - { - "id": "T1056.002", - "name": "GUI Input Capture", - "reference": "https://attack.mitre.org/techniques/T1056/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Prompt for Credentials with OSASCRIPT", + "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n", + "references": [ + "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", + "https://ss64.com/osx/osascript.html" + ], + "risk_score": 73, + "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1056", + "name": "Input Capture", + "reference": "https://attack.mitre.org/techniques/T1056/", + "subtechnique": [ + { + "id": "T1056.002", + "name": "GUI Input Capture", + "reference": "https://attack.mitre.org/techniques/T1056/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-38e5acdd-5f20-4d99-8fe4-f0a1a592077f.json b/packages/security_detection_engine/kibana/security_rule/rule-38e5acdd-5f20-4d99-8fe4-f0a1a592077f.json index 637d02ffcdd..d0cfa3eaff1 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-38e5acdd-5f20-4d99-8fe4-f0a1a592077f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-38e5acdd-5f20-4d99-8fe4-f0a1a592077f.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "User Added as Owner for Azure Service Principal", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:(Success or success)", - "references": [ - "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals" - ], - "risk_score": 21, - "rule_id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "User Added as Owner for Azure Service Principal", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:(Success or success)", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals" + ], + "risk_score": 21, + "rule_id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-39144f38-5284-4f8e-a2ae-e3fd628d90b0.json b/packages/security_detection_engine/kibana/security_rule/rule-39144f38-5284-4f8e-a2ae-e3fd628d90b0.json index 81c6808c4b5..d251e1e3c57 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-39144f38-5284-4f8e-a2ae-e3fd628d90b0.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-39144f38-5284-4f8e-a2ae-e3fd628d90b0.json @@ -1,57 +1,61 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.", - "false_positives": [ - "Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS EC2 Network Access Control List Creation", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html" - ], - "risk_score": 21, - "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Network Security" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1133", - "name": "External Remote Services", - "reference": "https://attack.mitre.org/techniques/T1133/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.", + "false_positives": [ + "Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 Network Access Control List Creation", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html" + ], + "risk_score": 21, + "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-397945f3-d39a-4e6f-8bcb-9656c2031438.json b/packages/security_detection_engine/kibana/security_rule/rule-397945f3-d39a-4e6f-8bcb-9656c2031438.json index e0e7fb6c19d..8eaf0cb5b13 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-397945f3-d39a-4e6f-8bcb-9656c2031438.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-397945f3-d39a-4e6f-8bcb-9656c2031438.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.", - "false_positives": [ - "A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via Microsoft Outlook VBA", - "query": "file where event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n", - "references": [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/" - ], - "risk_score": 47, - "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1137", - "name": "Office Application Startup", - "reference": "https://attack.mitre.org/techniques/T1137/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.", + "false_positives": [ + "A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Microsoft Outlook VBA", + "query": "file where event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n", + "references": [ + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/" + ], + "risk_score": 47, + "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1137", + "name": "Office Application Startup", + "reference": "https://attack.mitre.org/techniques/T1137/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "397945f3-d39a-4e6f-8bcb-9656c2031438", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-3a59fc81-99d3-47ea-8cd6-d48d561fca20.json b/packages/security_detection_engine/kibana/security_rule/rule-3a59fc81-99d3-47ea-8cd6-d48d561fca20.json index 7c024f7e74d..7e784de9b19 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-3a59fc81-99d3-47ea-8cd6-d48d561fca20.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-3a59fc81-99d3-47ea-8cd6-d48d561fca20.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential DNS Tunneling via NsLookup", - "query": "event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)", - "references": [ - "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" - ], - "risk_score": 47, - "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - } - ], - "threshold": { - "field": [ - "host.id" + "attributes": { + "author": [ + "Elastic" ], - "value": 15 + "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential DNS Tunneling via NsLookup", + "query": "event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)", + "references": [ + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" + ], + "risk_score": 47, + "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "threshold": { + "field": [ + "host.id" + ], + "value": 15 + }, + "type": "threshold", + "version": 2 }, - "type": "threshold", - "version": 2 + "id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-3ad49c61-7adc-42c1-b788-732eda2f5abf.json b/packages/security_detection_engine/kibana/security_rule/rule-3ad49c61-7adc-42c1-b788-732eda2f5abf.json index ce5352dd118..3c3d2de7ad5 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-3ad49c61-7adc-42c1-b788-732eda2f5abf.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-3ad49c61-7adc-42c1-b788-732eda2f5abf.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "VNC (Virtual Network Computing) to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 47, - "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1219", - "name": "Remote Access Software", - "reference": "https://attack.mitre.org/techniques/T1219/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "VNC (Virtual Network Computing) to the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", + "risk_score": 47, + "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Software", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-3b382770-efbb-44f4-beed-f5e0a051b895.json b/packages/security_detection_engine/kibana/security_rule/rule-3b382770-efbb-44f4-beed-f5e0a051b895.json index c8b4a8b01b8..9a4a83ff225 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-3b382770-efbb-44f4-beed-f5e0a051b895.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-3b382770-efbb-44f4-beed-f5e0a051b895.json @@ -1,24 +1,28 @@ { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Malware - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)", - "risk_score": 73, - "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895", - "severity": "high", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Malware - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)", + "risk_score": 73, + "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 5 + }, + "id": "3b382770-efbb-44f4-beed-f5e0a051b895", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-3b47900d-e793-49e8-968f-c90dc3526aa1.json b/packages/security_detection_engine/kibana/security_rule/rule-3b47900d-e793-49e8-968f-c90dc3526aa1.json index fe8d1b4c3bb..5dca60a6343 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-3b47900d-e793-49e8-968f-c90dc3526aa1.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-3b47900d-e793-49e8-968f-c90dc3526aa1.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Unusual Parent Process for cmd.exe", - "query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:(lsass.exe or csrss.exe or notepad.exe or regsvr32.exe or dllhost.exe or LogonUI.exe or wermgr.exe or spoolsv.exe or jucheck.exe or jusched.exe or ctfmon.exe or taskhostw.exe or GoogleUpdate.exe or sppsvc.exe or sihost.exe or slui.exe or SIHClient.exe or SearchIndexer.exe or SearchProtocolHost.exe or FlashPlayerUpdateService.exe or WerFault.exe or WUDFHost.exe or unsecapp.exe or wlanext.exe)", - "risk_score": 47, - "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unusual Parent Process for cmd.exe", + "query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:(lsass.exe or csrss.exe or notepad.exe or regsvr32.exe or dllhost.exe or LogonUI.exe or wermgr.exe or spoolsv.exe or jucheck.exe or jusched.exe or ctfmon.exe or taskhostw.exe or GoogleUpdate.exe or sppsvc.exe or sihost.exe or slui.exe or SIHClient.exe or SearchIndexer.exe or SearchProtocolHost.exe or FlashPlayerUpdateService.exe or WerFault.exe or WUDFHost.exe or unsecapp.exe or wlanext.exe)", + "risk_score": 47, + "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "3b47900d-e793-49e8-968f-c90dc3526aa1", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-3bc6deaa-fbd4-433a-ae21-3e892f95624f.json b/packages/security_detection_engine/kibana/security_rule/rule-3bc6deaa-fbd4-433a-ae21-3e892f95624f.json index b5dfe140653..e6ac30d5820 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-3bc6deaa-fbd4-433a-ae21-3e892f95624f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-3bc6deaa-fbd4-433a-ae21-3e892f95624f.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "max_signals": 33, - "name": "NTDS or SAM Database File Copied", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\") and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\")\n", - "references": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/" - ], - "risk_score": 73, - "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "NTDS or SAM Database File Copied", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\") and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\")\n", + "references": [ + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/" + ], + "risk_score": 73, + "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-3c7e32e6-6104-46d9-a06e-da0f8b5795a0.json b/packages/security_detection_engine/kibana/security_rule/rule-3c7e32e6-6104-46d9-a06e-da0f8b5795a0.json index b54ad6c5ab2..0bf28312347 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-3c7e32e6-6104-46d9-a06e-da0f8b5795a0.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-3c7e32e6-6104-46d9-a06e-da0f8b5795a0.json @@ -1,30 +1,34 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.", - "false_positives": [ - "A newly installed program or one that rarely uses the network could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "linux_anomalous_network_port_activity_ecs", - "name": "Unusual Linux Network Port Activity", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "linux_anomalous_network_port_activity_ecs", + "name": "Unusual Linux Network Port Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-3e002465-876f-4f04-b016-84ef48ce7e5d.json b/packages/security_detection_engine/kibana/security_rule/rule-3e002465-876f-4f04-b016-84ef48ce7e5d.json index 8ebdd1d70b9..370e4e4bd32 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-3e002465-876f-4f04-b016-84ef48ce7e5d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-3e002465-876f-4f04-b016-84ef48ce7e5d.json @@ -1,77 +1,81 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.", - "false_positives": [ - "Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudTrail Log Updated", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success", - "references": [ - "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html" - ], - "risk_score": 21, - "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.", + "false_positives": [ + "Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudTrail Log Updated", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success", + "references": [ + "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html" + ], + "risk_score": 21, + "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1565", + "name": "Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/", + "subtechnique": [ + { + "id": "T1565.001", + "name": "Stored Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/001/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1565", - "name": "Data Manipulation", - "reference": "https://attack.mitre.org/techniques/T1565/", - "subtechnique": [ - { - "id": "T1565.001", - "name": "Stored Data Manipulation", - "reference": "https://attack.mitre.org/techniques/T1565/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1530", - "name": "Data from Cloud Storage Object", - "reference": "https://attack.mitre.org/techniques/T1530/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage Object", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "3e002465-876f-4f04-b016-84ef48ce7e5d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-3e3d15c6-1509-479a-b125-21718372157e.json b/packages/security_detection_engine/kibana/security_rule/rule-3e3d15c6-1509-479a-b125-21718372157e.json index ea0f7d1354b..25a48973ea1 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-3e3d15c6-1509-479a-b125-21718372157e.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-3e3d15c6-1509-479a-b125-21718372157e.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Emond Child Process", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"Python\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"touch\",\n \"echo\",\n \"base64\",\n \"launchctl\")\n", - "references": [ - "https://www.xorrior.com/emond-persistence/" - ], - "risk_score": 47, - "rule_id": "3e3d15c6-1509-479a-b125-21718372157e", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.014", - "name": "Emond", - "reference": "https://attack.mitre.org/techniques/T1546/014/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Emond Child Process", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"Python\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"touch\",\n \"echo\",\n \"base64\",\n \"launchctl\")\n", + "references": [ + "https://www.xorrior.com/emond-persistence/" + ], + "risk_score": 47, + "rule_id": "3e3d15c6-1509-479a-b125-21718372157e", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.014", + "name": "Emond", + "reference": "https://attack.mitre.org/techniques/T1546/014/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "3e3d15c6-1509-479a-b125-21718372157e", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-3ecbdc9e-e4f2-43fa-8cca-63802125e582.json b/packages/security_detection_engine/kibana/security_rule/rule-3ecbdc9e-e4f2-43fa-8cca-63802125e582.json index ab3407fa176..44276d5756a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-3ecbdc9e-e4f2-43fa-8cca-63802125e582.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-3ecbdc9e-e4f2-43fa-8cca-63802125e582.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Privilege Escalation via Named Pipe Impersonation", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and \n process.args : \"echo\" and process.args : \"\u003e\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", - "references": [ - "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation" - ], - "risk_score": 73, - "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1134", - "name": "Access Token Manipulation", - "reference": "https://attack.mitre.org/techniques/T1134/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via Named Pipe Impersonation", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and \n process.args : \"echo\" and process.args : \"\u003e\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", + "references": [ + "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation" + ], + "risk_score": 73, + "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-3efee4f0-182a-40a8-a835-102c68a4175d.json b/packages/security_detection_engine/kibana/security_rule/rule-3efee4f0-182a-40a8-a835-102c68a4175d.json index 0ee9e1e610c..3d6ac9ca3c3 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-3efee4f0-182a-40a8-a835-102c68a4175d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-3efee4f0-182a-40a8-a835-102c68a4175d.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.", - "false_positives": [ - "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Password Spraying of Microsoft 365 User Accounts", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure", - "risk_score": 73, - "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", - "severity": "high", - "tags": [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "threshold": { - "field": [ - "source.ip" + "attributes": { + "author": [ + "Elastic" ], - "value": 25 + "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Password Spraying of Microsoft 365 User Accounts", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure", + "risk_score": 73, + "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "source.ip" + ], + "value": 25 + }, + "type": "threshold", + "version": 2 }, - "type": "threshold", - "version": 2 + "id": "3efee4f0-182a-40a8-a835-102c68a4175d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-403ef0d3-8259-40c9-a5b6-d48354712e49.json b/packages/security_detection_engine/kibana/security_rule/rule-403ef0d3-8259-40c9-a5b6-d48354712e49.json index 2bf372ae198..41ea47d2126 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-403ef0d3-8259-40c9-a5b6-d48354712e49.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-403ef0d3-8259-40c9-a5b6-d48354712e49.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Persistence via Services Registry", - "query": "registry where registry.path : (\"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\", \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\") and\n not registry.data.strings : (\"C:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\", \n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\", \n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"C:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\"C:\\\\Program Files*\\\\*.exe\", \n \"C:\\\\Windows\\\\System32\\\\svchost.exe\", \n \"C:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\", \n \"C:\\\\Windows\\\\System32\\\\drvinst.exe\", \n \"C:\\\\Windows\\\\System32\\\\services.exe\", \n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"C:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", - "risk_score": 21, - "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Persistence via Services Registry", + "query": "registry where registry.path : (\"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\", \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\") and\n not registry.data.strings : (\"C:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\", \n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\", \n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"C:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\"C:\\\\Program Files*\\\\*.exe\", \n \"C:\\\\Windows\\\\System32\\\\svchost.exe\", \n \"C:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\", \n \"C:\\\\Windows\\\\System32\\\\drvinst.exe\", \n \"C:\\\\Windows\\\\System32\\\\services.exe\", \n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"C:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", + "risk_score": 21, + "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "403ef0d3-8259-40c9-a5b6-d48354712e49", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-41824afb-d68c-4d0e-bfee-474dac1fa56e.json b/packages/security_detection_engine/kibana/security_rule/rule-41824afb-d68c-4d0e-bfee-474dac1fa56e.json index 4424fb5cc8f..4b715c98072 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-41824afb-d68c-4d0e-bfee-474dac1fa56e.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-41824afb-d68c-4d0e-bfee-474dac1fa56e.json @@ -1,32 +1,36 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "EggShell Backdoor Execution", - "query": "event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6*", - "references": [ - "https://github.com/neoneggplant/EggShell" - ], - "risk_score": 73, - "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Linux", - "macOS", - "Threat Detection", - "Execution" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "EggShell Backdoor Execution", + "query": "event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6*", + "references": [ + "https://github.com/neoneggplant/EggShell" + ], + "risk_score": 73, + "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Execution" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "41824afb-d68c-4d0e-bfee-474dac1fa56e", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-41b638a1-8ab6-4f8e-86d9-466317ef2db5.json b/packages/security_detection_engine/kibana/security_rule/rule-41b638a1-8ab6-4f8e-86d9-466317ef2db5.json index 2dfc3a1be79..231dc61d16b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-41b638a1-8ab6-4f8e-86d9-466317ef2db5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-41b638a1-8ab6-4f8e-86d9-466317ef2db5.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Hidden Local User Account Creation", - "query": "event.category:process and event.type:(start or process_started) and process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))", - "references": [ - "https://support.apple.com/en-us/HT203998" - ], - "risk_score": 47, - "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.003", - "name": "Local Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Hidden Local User Account Creation", + "query": "event.category:process and event.type:(start or process_started) and process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))", + "references": [ + "https://support.apple.com/en-us/HT203998" + ], + "risk_score": 47, + "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-42bf698b-4738-445b-8231-c834ddefd8a0.json b/packages/security_detection_engine/kibana/security_rule/rule-42bf698b-4738-445b-8231-c834ddefd8a0.json index 4eb1f415991..42f1c67b17b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-42bf698b-4738-445b-8231-c834ddefd8a0.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-42bf698b-4738-445b-8231-c834ddefd8a0.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", - "false_positives": [ - "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Okta Brute Force or Password Spraying Attack", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 47, - "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", - "severity": "medium", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "threshold": { - "field": [ - "source.ip" + "attributes": { + "author": [ + "Elastic" ], - "value": 25 + "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Okta Brute Force or Password Spraying Attack", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 47, + "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "source.ip" + ], + "value": 25 + }, + "type": "threshold", + "version": 4 }, - "type": "threshold", - "version": 4 + "id": "42bf698b-4738-445b-8231-c834ddefd8a0", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-4330272b-9724-4bc6-a3ca-f1532b81e5c2.json b/packages/security_detection_engine/kibana/security_rule/rule-4330272b-9724-4bc6-a3ca-f1532b81e5c2.json index fb8d325795e..47f9dc2f99b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-4330272b-9724-4bc6-a3ca-f1532b81e5c2.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-4330272b-9724-4bc6-a3ca-f1532b81e5c2.json @@ -1,30 +1,34 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies an unusually high number of authentication attempts.", - "false_positives": [ - "Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "suspicious_login_activity_ecs", - "name": "Unusual Login Activity", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies an unusually high number of authentication attempts.", + "false_positives": [ + "Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "suspicious_login_activity_ecs", + "name": "Unusual Login Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-43303fd4-4839-4e48-b2b2-803ab060758d.json b/packages/security_detection_engine/kibana/security_rule/rule-43303fd4-4839-4e48-b2b2-803ab060758d.json index 659ea83f0a7..da557a2cbf9 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-43303fd4-4839-4e48-b2b2-803ab060758d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-43303fd4-4839-4e48-b2b2-803ab060758d.json @@ -1,47 +1,51 @@ { - "author": [ - "Elastic" - ], - "description": "A request to a web application server contained no identifying user agent string.", - "false_positives": [ - "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." - ], - "filters": [ - { - "$state": { - "store": "appState" - }, - "exists": { - "field": "user_agent.original" - }, - "meta": { - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "user_agent.original", - "negate": true, - "type": "exists", - "value": "exists" + "attributes": { + "author": [ + "Elastic" + ], + "description": "A request to a web application server contained no identifying user agent string.", + "false_positives": [ + "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." + ], + "filters": [ + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "user_agent.original" + }, + "meta": { + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "user_agent.original", + "negate": true, + "type": "exists", + "value": "exists" + } } - } - ], - "index": [ - "apm-*-transaction*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Web Application Suspicious Activity: No User Agent", - "query": "url.path:*", - "references": [ - "https://en.wikipedia.org/wiki/User_agent" - ], - "risk_score": 47, - "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d", - "severity": "medium", - "tags": [ - "Elastic", - "APM" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + ], + "index": [ + "apm-*-transaction*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Web Application Suspicious Activity: No User Agent", + "query": "url.path:*", + "references": [ + "https://en.wikipedia.org/wiki/User_agent" + ], + "risk_score": 47, + "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d", + "severity": "medium", + "tags": [ + "Elastic", + "APM" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "43303fd4-4839-4e48-b2b2-803ab060758d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-440e2db4-bc7f-4c96-a068-65b78da59bde.json b/packages/security_detection_engine/kibana/security_rule/rule-440e2db4-bc7f-4c96-a068-65b78da59bde.json index d980773788f..58b3b82d490 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-440e2db4-bc7f-4c96-a068-65b78da59bde.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-440e2db4-bc7f-4c96-a068-65b78da59bde.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Shortcut File Written or Modified for Persistence", - "query": "file where event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", - "risk_score": 47, - "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Shortcut File Written or Modified for Persistence", + "query": "file where event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", + "risk_score": 47, + "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "440e2db4-bc7f-4c96-a068-65b78da59bde", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-445a342e-03fb-42d0-8656-0367eb2dead5.json b/packages/security_detection_engine/kibana/security_rule/rule-445a342e-03fb-42d0-8656-0367eb2dead5.json index 231751238a0..7ff2a545b86 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-445a342e-03fb-42d0-8656-0367eb2dead5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-445a342e-03fb-42d0-8656-0367eb2dead5.json @@ -1,30 +1,34 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.", - "false_positives": [ - "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "windows_anomalous_path_activity_ecs", - "name": "Unusual Windows Path Activity", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.", + "false_positives": [ + "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "windows_anomalous_path_activity_ecs", + "name": "Unusual Windows Path Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "445a342e-03fb-42d0-8656-0367eb2dead5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-453f659e-0429-40b1-bfdb-b6957286e04b.json b/packages/security_detection_engine/kibana/security_rule/rule-453f659e-0429-40b1-bfdb-b6957286e04b.json index 2de2f2558fe..e1f7fe9d2a2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-453f659e-0429-40b1-bfdb-b6957286e04b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-453f659e-0429-40b1-bfdb-b6957286e04b.json @@ -1,24 +1,28 @@ { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Permission Theft - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)", - "risk_score": 47, - "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b", - "severity": "medium", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Permission Theft - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)", + "risk_score": 47, + "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 5 + }, + "id": "453f659e-0429-40b1-bfdb-b6957286e04b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-45ac4800-840f-414c-b221-53dd36a5aaf7.json b/packages/security_detection_engine/kibana/security_rule/rule-45ac4800-840f-414c-b221-53dd36a5aaf7.json index 1c8ece4ce42..eb2777dd471 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-45ac4800-840f-414c-b221-53dd36a5aaf7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-45ac4800-840f-414c-b221-53dd36a5aaf7.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic", - "Anabella Cristaldi" - ], - "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Windows Event Logs Cleared", - "query": "event.action:(\"audit-log-cleared\" or \"Log clear\")", - "risk_score": 21, - "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic", + "Anabella Cristaldi" + ], + "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Windows Event Logs Cleared", + "query": "event.action:(\"audit-log-cleared\" or \"Log clear\")", + "risk_score": 21, + "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "45ac4800-840f-414c-b221-53dd36a5aaf7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-45d273fb-1dca-457d-9855-bcb302180c21.json b/packages/security_detection_engine/kibana/security_rule/rule-45d273fb-1dca-457d-9855-bcb302180c21.json index 79941d1dc59..236a8014760 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-45d273fb-1dca-457d-9855-bcb302180c21.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-45d273fb-1dca-457d-9855-bcb302180c21.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Encrypting Files with WinRar or 7z", - "query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n process.pe.original_file_name == \"Command line RAR\") and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n or\n (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n /* uncomment if noisy for backup software related FPs */\n /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n", - "references": [ - "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" - ], - "risk_score": 47, - "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Collection" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1560", - "name": "Archive Collected Data", - "reference": "https://attack.mitre.org/techniques/T1560/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Encrypting Files with WinRar or 7z", + "query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n process.pe.original_file_name == \"Command line RAR\") and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n or\n (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n /* uncomment if noisy for backup software related FPs */\n /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n", + "references": [ + "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" + ], + "risk_score": 47, + "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Collection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1560", + "name": "Archive Collected Data", + "reference": "https://attack.mitre.org/techniques/T1560/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "45d273fb-1dca-457d-9855-bcb302180c21", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-4630d948-40d4-4cef-ac69-4002e29bc3db.json b/packages/security_detection_engine/kibana/security_rule/rule-4630d948-40d4-4cef-ac69-4002e29bc3db.json index b30ba1707f2..438ab2a66f4 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-4630d948-40d4-4cef-ac69-4002e29bc3db.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-4630d948-40d4-4cef-ac69-4002e29bc3db.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Adding Hidden File Attribute via Attrib", - "query": "event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h", - "risk_score": 21, - "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Adding Hidden File Attribute via Attrib", + "query": "event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h", + "risk_score": 21, + "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1564", - "name": "Hide Artifacts", - "reference": "https://attack.mitre.org/techniques/T1564/", - "subtechnique": [ - { - "id": "T1564.001", - "name": "Hidden Files and Directories", - "reference": "https://attack.mitre.org/techniques/T1564/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "4630d948-40d4-4cef-ac69-4002e29bc3db", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-46f804f5-b289-43d6-a881-9387cf594f75.json b/packages/security_detection_engine/kibana/security_rule/rule-46f804f5-b289-43d6-a881-9387cf594f75.json index 4c805b812c0..44d2dc65e3c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-46f804f5-b289-43d6-a881-9387cf594f75.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-46f804f5-b289-43d6-a881-9387cf594f75.json @@ -1,31 +1,35 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "rare_process_by_host_linux_ecs", - "name": "Unusual Process For a Linux Host", - "note": "### Investigating an Unusual Linux Process ###\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_process_by_host_linux_ecs", + "name": "Unusual Process For a Linux Host", + "note": "### Investigating an Unusual Linux Process ###\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "46f804f5-b289-43d6-a881-9387cf594f75", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-47f76567-d58a-4fed-b32b-21f571e28910.json b/packages/security_detection_engine/kibana/security_rule/rule-47f76567-d58a-4fed-b32b-21f571e28910.json index 7488d9747a4..02668ab1334 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-47f76567-d58a-4fed-b32b-21f571e28910.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-47f76567-d58a-4fed-b32b-21f571e28910.json @@ -1,63 +1,67 @@ { - "author": [ - "Elastic" - ], - "description": "Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Apple Script Execution followed by Network Connection", - "query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where event.type == \"start\" and process.name == \"osascript\"]\n [network where event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \n \"172.16.0.0/12\", \n \"192.168.0.0/16\", \n \"127.0.0.0/8\", \n \"169.254.0.0/16\", \n \"224.0.0.0/4\", \n \"FE80::/10\", \n \"FF00::/8\")\n ]\n", - "references": [ - "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html" - ], - "risk_score": 47, - "rule_id": "47f76567-d58a-4fed-b32b-21f571e28910", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Command and Control", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Apple Script Execution followed by Network Connection", + "query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where event.type == \"start\" and process.name == \"osascript\"]\n [network where event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \n \"172.16.0.0/12\", \n \"192.168.0.0/16\", \n \"127.0.0.0/8\", \n \"169.254.0.0/16\", \n \"224.0.0.0/4\", \n \"FE80::/10\", \n \"FF00::/8\")\n ]\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html" + ], + "risk_score": 47, + "rule_id": "47f76567-d58a-4fed-b32b-21f571e28910", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Command and Control", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "type": "eql", - "version": 2 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "47f76567-d58a-4fed-b32b-21f571e28910", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-483c4daf-b0c6-49e0-adf3-0bfa93231d6b.json b/packages/security_detection_engine/kibana/security_rule/rule-483c4daf-b0c6-49e0-adf3-0bfa93231d6b.json index 6e7d0f7f529..e0b60d728d9 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-483c4daf-b0c6-49e0-adf3-0bfa93231d6b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-483c4daf-b0c6-49e0-adf3-0bfa93231d6b.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", - "false_positives": [ - "Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "query": "process where event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.name : (\"werfault.exe\", \"wermgr.exe\")\n", - "references": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" - ], - "risk_score": 47, - "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", + "false_positives": [ + "Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", + "query": "process where event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.name : (\"werfault.exe\", \"wermgr.exe\")\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" + ], + "risk_score": 47, + "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-48ec9452-e1fd-4513-a376-10a1a26d2c83.json b/packages/security_detection_engine/kibana/security_rule/rule-48ec9452-e1fd-4513-a376-10a1a26d2c83.json index 2eabb573d51..32b49d0f3ef 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-48ec9452-e1fd-4513-a376-10a1a26d2c83.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-48ec9452-e1fd-4513-a376-10a1a26d2c83.json @@ -1,57 +1,61 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Persistence via Periodic Tasks", - "query": "event.category:\"file\" and not event.type:\"deletion\" and file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)", - "references": [ - "https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html", - "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html", - "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js" - ], - "risk_score": 21, - "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.003", - "name": "Cron", - "reference": "https://attack.mitre.org/techniques/T1053/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence via Periodic Tasks", + "query": "event.category:\"file\" and not event.type:\"deletion\" and file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)", + "references": [ + "https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html", + "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html", + "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js" + ], + "risk_score": 21, + "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "48ec9452-e1fd-4513-a376-10a1a26d2c83", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-4a4e23cf-78a2-449c-bac3-701924c269d3.json b/packages/security_detection_engine/kibana/security_rule/rule-4a4e23cf-78a2-449c-bac3-701924c269d3.json index ff415a8bd84..b87edb107d7 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-4a4e23cf-78a2-449c-bac3-701924c269d3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-4a4e23cf-78a2-449c-bac3-701924c269d3.json @@ -1,61 +1,65 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.", - "false_positives": [ - "This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations." - ], - "index": [ - "packetbeat-*" - ], - "language": "lucene", - "license": "Elastic License v2", - "name": "Possible FIN7 DGA Command and Control Behavior", - "note": "In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.", - "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us", - "references": [ - "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" - ], - "risk_score": 73, - "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3", - "severity": "high", - "tags": [ - "Elastic", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.", + "false_positives": [ + "This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations." + ], + "index": [ + "packetbeat-*" + ], + "language": "lucene", + "license": "Elastic License v2", + "name": "Possible FIN7 DGA Command and Control Behavior", + "note": "In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.", + "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us", + "references": [ + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ], + "risk_score": 73, + "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3", + "severity": "high", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" }, - { - "id": "T1568", - "name": "Dynamic Resolution", - "reference": "https://attack.mitre.org/techniques/T1568/", - "subtechnique": [ - { - "id": "T1568.002", - "name": "Domain Generation Algorithms", - "reference": "https://attack.mitre.org/techniques/T1568/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + }, + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "4a4e23cf-78a2-449c-bac3-701924c269d3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-4b438734-3793-4fda-bd42-ceeada0be8f9.json b/packages/security_detection_engine/kibana/security_rule/rule-4b438734-3793-4fda-bd42-ceeada0be8f9.json index 70dd764495f..d255c68e421 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-4b438734-3793-4fda-bd42-ceeada0be8f9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-4b438734-3793-4fda-bd42-ceeada0be8f9.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Disable Windows Firewall Rules via Netsh", - "query": "event.category:process and event.type:(start or process_started) and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)", - "risk_score": 47, - "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Disable Windows Firewall Rules via Netsh", + "query": "event.category:process and event.type:(start or process_started) and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)", + "risk_score": 47, + "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "4b438734-3793-4fda-bd42-ceeada0be8f9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-4bd1c1af-79d4-4d37-9efa-6e0240640242.json b/packages/security_detection_engine/kibana/security_rule/rule-4bd1c1af-79d4-4d37-9efa-6e0240640242.json index eee6fac75d9..39024256952 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-4bd1c1af-79d4-4d37-9efa-6e0240640242.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-4bd1c1af-79d4-4d37-9efa-6e0240640242.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Process Execution Path - Alternate Data Stream", - "query": "process where event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", - "risk_score": 47, - "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1564", - "name": "Hide Artifacts", - "reference": "https://attack.mitre.org/techniques/T1564/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Process Execution Path - Alternate Data Stream", + "query": "process where event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", + "risk_score": 47, + "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-4d50a94f-2844-43fa-8395-6afbd5e1c5ef.json b/packages/security_detection_engine/kibana/security_rule/rule-4d50a94f-2844-43fa-8395-6afbd5e1c5ef.json index 5d5c6033b5c..aa190554dc1 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-4d50a94f-2844-43fa-8395-6afbd5e1c5ef.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-4d50a94f-2844-43fa-8395-6afbd5e1c5ef.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.", - "false_positives": [ - "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." - ], - "from": "now-20m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Management Console Brute Force of Root User Identity", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure", - "references": [ - "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" - ], - "risk_score": 73, - "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef", - "severity": "high", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "threshold": { - "field": [ - "cloud.account.id" + "attributes": { + "author": [ + "Elastic" ], - "value": 10 + "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Management Console Brute Force of Root User Identity", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" + ], + "risk_score": 73, + "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "cloud.account.id" + ], + "value": 10 + }, + "type": "threshold", + "version": 2 }, - "type": "threshold", - "version": 2 + "id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-4da13d6e-904f-4636-81d8-6ab14b4e6ae9.json b/packages/security_detection_engine/kibana/security_rule/rule-4da13d6e-904f-4636-81d8-6ab14b4e6ae9.json index 6e426444b7d..348bb53b741 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-4da13d6e-904f-4636-81d8-6ab14b4e6ae9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-4da13d6e-904f-4636-81d8-6ab14b4e6ae9.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Disable Gatekeeper", - "query": "event.category:process and event.type:(start or process_started) and process.args:(spctl and \"--master-disable\")", - "references": [ - "https://support.apple.com/en-us/HT202491", - "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/" - ], - "risk_score": 47, - "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1553", - "name": "Subvert Trust Controls", - "reference": "https://attack.mitre.org/techniques/T1553/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Disable Gatekeeper", + "query": "event.category:process and event.type:(start or process_started) and process.args:(spctl and \"--master-disable\")", + "references": [ + "https://support.apple.com/en-us/HT202491", + "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/" + ], + "risk_score": 47, + "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-4ed493fc-d637-4a36-80ff-ac84937e5461.json b/packages/security_detection_engine/kibana/security_rule/rule-4ed493fc-d637-4a36-80ff-ac84937e5461.json index 7af19e8e345..07bf4afb65a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-4ed493fc-d637-4a36-80ff-ac84937e5461.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-4ed493fc-d637-4a36-80ff-ac84937e5461.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:sqlservr.exe", - "risk_score": 73, - "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Execution via MSSQL xp_cmdshell Stored Procedure", + "query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:sqlservr.exe", + "risk_score": 73, + "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "4ed493fc-d637-4a36-80ff-ac84937e5461", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff.json b/packages/security_detection_engine/kibana/security_rule/rule-4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff.json index e23352ff306..6c6b7d58036 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff.json @@ -1,39 +1,43 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Windows Suspicious Script Object Execution", - "query": "/* add winlogbeat-* when process.code_signature.* fields are populated */\n\nsequence by process.entity_id with maxspan = 2m\n [process where event.type in (\"start\", \"process_started\") and\n /* uncomment once in winlogbeat */\n /* process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted : true and */\n not process.name : (\n \"cscript.exe\",\n \"iexplore.exe\",\n \"MicrosoftEdge.exe\",\n \"msiexec.exe\",\n \"smartscreen.exe\",\n \"taskhostw.exe\",\n \"w3wp.exe\",\n \"wscript.exe\")]\n [library where event.type == \"start\" and dll.name : \"scrobj.dll\"]\n", - "risk_score": 21, - "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [] - } - ], - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Suspicious Script Object Execution", + "query": "/* add winlogbeat-* when process.code_signature.* fields are populated */\n\nsequence by process.entity_id with maxspan = 2m\n [process where event.type in (\"start\", \"process_started\") and\n /* uncomment once in winlogbeat */\n /* process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted : true and */\n not process.name : (\n \"cscript.exe\",\n \"iexplore.exe\",\n \"MicrosoftEdge.exe\",\n \"msiexec.exe\",\n \"smartscreen.exe\",\n \"taskhostw.exe\",\n \"w3wp.exe\",\n \"wscript.exe\")]\n [library where event.type == \"start\" and dll.name : \"scrobj.dll\"]\n", + "risk_score": 21, + "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 3 + }, + "id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-4fe9d835-40e1-452d-8230-17c147cafad8.json b/packages/security_detection_engine/kibana/security_rule/rule-4fe9d835-40e1-452d-8230-17c147cafad8.json index 82b3d1660bc..f690143cd43 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-4fe9d835-40e1-452d-8230-17c147cafad8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-4fe9d835-40e1-452d-8230-17c147cafad8.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Execution via TSClient Mountpoint", - "query": "process where event.type in (\"start\", \"process_started\") and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", - "references": [ - "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" - ], - "risk_score": 73, - "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via TSClient Mountpoint", + "query": "process where event.type in (\"start\", \"process_started\") and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", + "references": [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" + ], + "risk_score": 73, + "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "4fe9d835-40e1-452d-8230-17c147cafad8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-513f0ffd-b317-4b9c-9494-92ce861f22c7.json b/packages/security_detection_engine/kibana/security_rule/rule-513f0ffd-b317-4b9c-9494-92ce861f22c7.json index 34946d5b49e..d946177598e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-513f0ffd-b317-4b9c-9494-92ce861f22c7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-513f0ffd-b317-4b9c-9494-92ce861f22c7.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Registry Persistence via AppCert DLL", - "query": "registry where\n/* uncomment once stable length(bytes_written_string) \u003e 0 and */\n registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n", - "risk_score": 47, - "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.009", - "name": "AppCert DLLs", - "reference": "https://attack.mitre.org/techniques/T1546/009/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Registry Persistence via AppCert DLL", + "query": "registry where\n/* uncomment once stable length(bytes_written_string) \u003e 0 and */\n registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n", + "risk_score": 47, + "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.009", + "name": "AppCert DLLs", + "reference": "https://attack.mitre.org/techniques/T1546/009/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-514121ce-c7b6-474a-8237-68ff71672379.json b/packages/security_detection_engine/kibana/security_rule/rule-514121ce-c7b6-474a-8237-68ff71672379.json index fbb7e867aa1..b9bf1c1ce3e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-514121ce-c7b6-474a-8237-68ff71672379.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-514121ce-c7b6-474a-8237-68ff71672379.json @@ -1,36 +1,40 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and not being spoofed.", - "false_positives": [ - "Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps" - ], - "risk_score": 47, - "rule_id": "514121ce-c7b6-474a-8237-68ff71672379", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Data Protection" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and not being spoofed.", + "false_positives": [ + "Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps" + ], + "risk_score": 47, + "rule_id": "514121ce-c7b6-474a-8237-68ff71672379", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Data Protection" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "514121ce-c7b6-474a-8237-68ff71672379", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-51859fa0-d86b-4214-bf48-ebb30ed91305.json b/packages/security_detection_engine/kibana/security_rule/rule-51859fa0-d86b-4214-bf48-ebb30ed91305.json index 78f24834836..3c13df7508b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-51859fa0-d86b-4214-bf48-ebb30ed91305.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-51859fa0-d86b-4214-bf48-ebb30ed91305.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.", - "false_positives": [ - "Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Logging Sink Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success", - "references": [ - "https://cloud.google.com/logging/docs/export" - ], - "risk_score": 47, - "rule_id": "51859fa0-d86b-4214-bf48-ebb30ed91305", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.", + "false_positives": [ + "Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Logging Sink Deletion", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success", + "references": [ + "https://cloud.google.com/logging/docs/export" + ], + "risk_score": 47, + "rule_id": "51859fa0-d86b-4214-bf48-ebb30ed91305", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "51859fa0-d86b-4214-bf48-ebb30ed91305", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-51ce96fb-9e52-4dad-b0ba-99b54440fc9a.json b/packages/security_detection_engine/kibana/security_rule/rule-51ce96fb-9e52-4dad-b0ba-99b54440fc9a.json index 4563d6741e5..28921483e6e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-51ce96fb-9e52-4dad-b0ba-99b54440fc9a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-51ce96fb-9e52-4dad-b0ba-99b54440fc9a.json @@ -1,48 +1,52 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Incoming DCOM Lateral Movement with MMC", - "query": "sequence by host.id with maxspan=1m\n [network where event.type == \"start\" and process.name : \"mmc.exe\" and\n source.port \u003e= 49152 and destination.port \u003e= 49152 and source.address not in (\"127.0.0.1\", \"::1\") and\n network.direction == \"incoming\" and network.transport == \"tcp\"\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", - "references": [ - "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/" - ], - "risk_score": 73, - "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming DCOM Lateral Movement with MMC", + "query": "sequence by host.id with maxspan=1m\n [network where event.type == \"start\" and process.name : \"mmc.exe\" and\n source.port \u003e= 49152 and destination.port \u003e= 49152 and source.address not in (\"127.0.0.1\", \"::1\") and\n network.direction == \"incoming\" and network.transport == \"tcp\"\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", + "references": [ + "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/" + ], + "risk_score": 73, + "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-523116c0-d89d-4d7c-82c2-39e6845a78ef.json b/packages/security_detection_engine/kibana/security_rule/rule-523116c0-d89d-4d7c-82c2-39e6845a78ef.json index 14de36eea44..76fa518d0e3 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-523116c0-d89d-4d7c-82c2-39e6845a78ef.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-523116c0-d89d-4d7c-82c2-39e6845a78ef.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.", - "false_positives": [ - "The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS GuardDuty Detector Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", - "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html" - ], - "risk_score": 73, - "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef", - "severity": "high", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.", + "false_positives": [ + "The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS GuardDuty Detector Deletion", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", + "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html" + ], + "risk_score": 73, + "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "523116c0-d89d-4d7c-82c2-39e6845a78ef", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-52aaab7b-b51c-441a-89ce-4387b3aea886.json b/packages/security_detection_engine/kibana/security_rule/rule-52aaab7b-b51c-441a-89ce-4387b3aea886.json index a525835877a..5847218f4d3 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-52aaab7b-b51c-441a-89ce-4387b3aea886.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-52aaab7b-b51c-441a-89ce-4387b3aea886.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Network Connection via RunDLL32", - "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where process.name : \"rundll32.exe\" and network.protocol != \"dns\" and network.direction == \"outgoing\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"127.0.0.0/8\")]\n", - "risk_score": 47, - "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "Signed Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.011", - "name": "Rundll32", - "reference": "https://attack.mitre.org/techniques/T1218/011/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Network Connection via RunDLL32", + "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where process.name : \"rundll32.exe\" and network.protocol != \"dns\" and network.direction == \"outgoing\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"127.0.0.0/8\")]\n", + "risk_score": 47, + "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 8 + }, + "id": "52aaab7b-b51c-441a-89ce-4387b3aea886", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-52afbdc5-db15-485e-bc24-f5707f820c4b.json b/packages/security_detection_engine/kibana/security_rule/rule-52afbdc5-db15-485e-bc24-f5707f820c4b.json index cea14f56d67..40134fd6de5 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-52afbdc5-db15-485e-bc24-f5707f820c4b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-52afbdc5-db15-485e-bc24-f5707f820c4b.json @@ -1,28 +1,32 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "linux_anomalous_network_activity_ecs", - "name": "Unusual Linux Network Activity", - "note": "### Investigating Unusual Network Activity ###\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "linux_anomalous_network_activity_ecs", + "name": "Unusual Linux Network Activity", + "note": "### Investigating Unusual Network Activity ###\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "52afbdc5-db15-485e-bc24-f5707f820c4b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-52afbdc5-db15-485e-bc35-f5707f820c4c.json b/packages/security_detection_engine/kibana/security_rule/rule-52afbdc5-db15-485e-bc35-f5707f820c4c.json index 46bdfd2f8e1..938687fbb2e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-52afbdc5-db15-485e-bc35-f5707f820c4c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-52afbdc5-db15-485e-bc35-f5707f820c4c.json @@ -1,30 +1,34 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However, Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity.", - "false_positives": [ - "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs", - "name": "Unusual Linux Web Activity", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However, Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity.", + "false_positives": [ + "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs", + "name": "Unusual Linux Web Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "52afbdc5-db15-485e-bc35-f5707f820c4c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-52afbdc5-db15-596e-bc35-f5707f820c4b.json b/packages/security_detection_engine/kibana/security_rule/rule-52afbdc5-db15-596e-bc35-f5707f820c4b.json index e2f7beafbe9..eb00a4fb8c7 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-52afbdc5-db15-596e-bc35-f5707f820c4b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-52afbdc5-db15-596e-bc35-f5707f820c4b.json @@ -1,30 +1,34 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms.", - "false_positives": [ - "A newly installed program or one that rarely uses the network could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "linux_anomalous_network_service", - "name": "Unusual Linux Network Service", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "linux_anomalous_network_service", + "name": "Unusual Linux Network Service", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "52afbdc5-db15-596e-bc35-f5707f820c4b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de.json b/packages/security_detection_engine/kibana/security_rule/rule-5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de.json index 6b59ae21c2c..d300752ecba 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de.json @@ -1,60 +1,64 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.", - "false_positives": [ - "Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Diagnostic Settings Deletion", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" and event.outcome:(Success or success)", - "references": [ - "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings" - ], - "risk_score": 47, - "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.", + "false_positives": [ + "Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Diagnostic Settings Deletion", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" and event.outcome:(Success or success)", + "references": [ + "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings" + ], + "risk_score": 47, + "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-53a26770-9cbd-40c5-8b57-61d01a325e14.json b/packages/security_detection_engine/kibana/security_rule/rule-53a26770-9cbd-40c5-8b57-61d01a325e14.json index 5b8a701e5e7..8cbb3d3fcfd 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-53a26770-9cbd-40c5-8b57-61d01a325e14.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-53a26770-9cbd-40c5-8b57-61d01a325e14.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious PDF Reader Child Process", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)", - "risk_score": 21, - "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1204", - "name": "User Execution", - "reference": "https://attack.mitre.org/techniques/T1204/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious PDF Reader Child Process", + "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)", + "risk_score": 21, + "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "53a26770-9cbd-40c5-8b57-61d01a325e14", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-54902e45-3467-49a4-8abc-529f2c8cfb80.json b/packages/security_detection_engine/kibana/security_rule/rule-54902e45-3467-49a4-8abc-529f2c8cfb80.json index 9a865924cbe..00ba8378d5a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-54902e45-3467-49a4-8abc-529f2c8cfb80.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-54902e45-3467-49a4-8abc-529f2c8cfb80.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "Detects changes to registry persistence keys that are uncommonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Uncommon Registry Persistence Change", - "query": "registry where\n /* uncomment once stable length(registry.data.strings) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n \n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", - "references": [ - "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\u0026seqNum=2" - ], - "risk_score": 47, - "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects changes to registry persistence keys that are uncommonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Uncommon Registry Persistence Change", + "query": "registry where\n /* uncomment once stable length(registry.data.strings) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n \n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", + "references": [ + "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\u0026seqNum=2" + ], + "risk_score": 47, + "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1112", - "name": "Modify Registry", - "reference": "https://attack.mitre.org/techniques/T1112/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "54902e45-3467-49a4-8abc-529f2c8cfb80", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-55d551c6-333b-4665-ab7e-5d14a59715ce.json b/packages/security_detection_engine/kibana/security_rule/rule-55d551c6-333b-4665-ab7e-5d14a59715ce.json index 02799e368c4..9e379493cdc 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-55d551c6-333b-4665-ab7e-5d14a59715ce.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-55d551c6-333b-4665-ab7e-5d14a59715ce.json @@ -1,64 +1,68 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", - "false_positives": [ - "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "PsExec Network Connection", - "query": "sequence by process.entity_id\n [process where process.name : \"PsExec.exe\" and event.type == \"start\"]\n [network where process.name : \"PsExec.exe\"]\n", - "risk_score": 21, - "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", + "false_positives": [ + "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "PsExec Network Connection", + "query": "sequence by process.entity_id\n [process where process.name : \"PsExec.exe\" and event.type == \"start\"]\n [network where process.name : \"PsExec.exe\"]\n", + "risk_score": 21, + "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1569", + "name": "System Services", + "reference": "https://attack.mitre.org/techniques/T1569/", + "subtechnique": [ + { + "id": "T1569.002", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1569/002/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1569", - "name": "System Services", - "reference": "https://attack.mitre.org/techniques/T1569/", - "subtechnique": [ - { - "id": "T1569.002", - "name": "Service Execution", - "reference": "https://attack.mitre.org/techniques/T1569/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [] - } - ], - "type": "eql", - "version": 7 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 7 + }, + "id": "55d551c6-333b-4665-ab7e-5d14a59715ce", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-56557cde-d923-4b88-adee-c61b3f3b5dc3.json b/packages/security_detection_engine/kibana/security_rule/rule-56557cde-d923-4b88-adee-c61b3f3b5dc3.json index 1e2339a7129..4d1f2c19faf 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-56557cde-d923-4b88-adee-c61b3f3b5dc3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-56557cde-d923-4b88-adee-c61b3f3b5dc3.json @@ -1,51 +1,55 @@ { - "author": [ - "Elastic" - ], - "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"", - "risk_score": 21, - "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1553", - "name": "Subvert Trust Controls", - "reference": "https://attack.mitre.org/techniques/T1553/", - "subtechnique": [ - { - "id": "T1553.002", - "name": "Code Signing", - "reference": "https://attack.mitre.org/techniques/T1553/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", + "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"", + "risk_score": 21, + "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.002", + "name": "Code Signing", + "reference": "https://attack.mitre.org/techniques/T1553/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-565c2b44-7a21-4818-955f-8d4737967d2e.json b/packages/security_detection_engine/kibana/security_rule/rule-565c2b44-7a21-4818-955f-8d4737967d2e.json index dbb77917b80..9fe61953879 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-565c2b44-7a21-4818-955f-8d4737967d2e.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-565c2b44-7a21-4818-955f-8d4737967d2e.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Admin Group Account Addition", - "query": "event.category:process and event.type:(start or process_started) and process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\"))", - "references": [ - "https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/" - ], - "risk_score": 47, - "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.003", - "name": "Local Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Admin Group Account Addition", + "query": "event.category:process and event.type:(start or process_started) and process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\"))", + "references": [ + "https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/" + ], + "risk_score": 47, + "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "565c2b44-7a21-4818-955f-8d4737967d2e", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-565d6ca5-75ba-4c82-9b13-add25353471c.json b/packages/security_detection_engine/kibana/security_rule/rule-565d6ca5-75ba-4c82-9b13-add25353471c.json index 131d12431fb..55652d12b55 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-565d6ca5-75ba-4c82-9b13-add25353471c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-565d6ca5-75ba-4c82-9b13-add25353471c.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Dumping of Keychain Content via Security Command", - "query": "process where event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n", - "references": [ - "https://ss64.com/osx/security.html" - ], - "risk_score": 73, - "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.001", - "name": "Keychain", - "reference": "https://attack.mitre.org/techniques/T1555/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Dumping of Keychain Content via Security Command", + "query": "process where event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n", + "references": [ + "https://ss64.com/osx/security.html" + ], + "risk_score": 73, + "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "565d6ca5-75ba-4c82-9b13-add25353471c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json b/packages/security_detection_engine/kibana/security_rule/rule-5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json index 5e7fbf59593..73d0359d8b5 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, the log sinks can be deleted that have the bucket as a destination, or the filter for the sinks can be modified to stop routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.", - "false_positives": [ - "Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Logging Bucket Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success", - "references": [ - "https://cloud.google.com/logging/docs/buckets", - "https://cloud.google.com/logging/docs/storage" - ], - "risk_score": 47, - "rule_id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, the log sinks can be deleted that have the bucket as a destination, or the filter for the sinks can be modified to stop routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.", + "false_positives": [ + "Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Logging Bucket Deletion", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success", + "references": [ + "https://cloud.google.com/logging/docs/buckets", + "https://cloud.google.com/logging/docs/storage" + ], + "risk_score": 47, + "rule_id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-5700cb81-df44-46aa-a5d7-337798f53eb8.json b/packages/security_detection_engine/kibana/security_rule/rule-5700cb81-df44-46aa-a5d7-337798f53eb8.json index d5e20532592..fd5ca26a94d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-5700cb81-df44-46aa-a5d7-337798f53eb8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-5700cb81-df44-46aa-a5d7-337798f53eb8.json @@ -1,64 +1,68 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "VNC (Virtual Network Computing) from the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )", - "risk_score": 73, - "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "VNC (Virtual Network Computing) from the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )", + "risk_score": 73, + "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Software", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] }, - "technique": [ - { - "id": "T1219", - "name": "Remote Access Software", - "reference": "https://attack.mitre.org/techniques/T1219/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "5700cb81-df44-46aa-a5d7-337798f53eb8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-571afc56-5ed9-465d-a2a9-045f099f6e7e.json b/packages/security_detection_engine/kibana/security_rule/rule-571afc56-5ed9-465d-a2a9-045f099f6e7e.json index 6d7704eaf11..2b7e34c700e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-571afc56-5ed9-465d-a2a9-045f099f6e7e.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-571afc56-5ed9-465d-a2a9-045f099f6e7e.json @@ -1,24 +1,28 @@ { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Credential Dumping - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)", - "risk_score": 73, - "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", - "severity": "high", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Credential Dumping - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)", + "risk_score": 73, + "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 5 + }, + "id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-581add16-df76-42bb-af8e-c979bfb39a59.json b/packages/security_detection_engine/kibana/security_rule/rule-581add16-df76-42bb-af8e-c979bfb39a59.json index c3c44b01d3a..95db28afed7 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-581add16-df76-42bb-af8e-c979bfb39a59.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-581add16-df76-42bb-af8e-c979bfb39a59.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Deleting Backup Catalogs with Wbadmin", - "query": "event.category:process and event.type:(start or process_started) and process.name:wbadmin.exe and process.args:(catalog and delete)", - "risk_score": 21, - "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.004", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1070/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Deleting Backup Catalogs with Wbadmin", + "query": "event.category:process and event.type:(start or process_started) and process.name:wbadmin.exe and process.args:(catalog and delete)", + "risk_score": 21, + "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "581add16-df76-42bb-af8e-c979bfb39a59", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-58aa72ca-d968-4f34-b9f7-bea51d75eb50.json b/packages/security_detection_engine/kibana/security_rule/rule-58aa72ca-d968-4f34-b9f7-bea51d75eb50.json index a4e239cef43..b375b5be41c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-58aa72ca-d968-4f34-b9f7-bea51d75eb50.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-58aa72ca-d968-4f34-b9f7-bea51d75eb50.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "RDP Enabled via Registry", - "query": "registry where\nregistry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\nregistry.data.strings == \"0\" and not (process.name : \"svchost.exe\" and user.domain == \"NT AUTHORITY\") and\nnot process.executable : \"C:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\"\n", - "risk_score": 47, - "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "RDP Enabled via Registry", + "query": "registry where\nregistry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\nregistry.data.strings == \"0\" and not (process.name : \"svchost.exe\" and user.domain == \"NT AUTHORITY\") and\nnot process.executable : \"C:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\"\n", + "risk_score": 47, + "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-58ac2aa5-6718-427c-a845-5f3ac5af00ba.json b/packages/security_detection_engine/kibana/security_rule/rule-58ac2aa5-6718-427c-a845-5f3ac5af00ba.json index 7cc89ff1417..a0477ce0a9e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-58ac2aa5-6718-427c-a845-5f3ac5af00ba.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-58ac2aa5-6718-427c-a845-5f3ac5af00ba.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.", - "index": [ - "filebeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Zoom Meeting with no Passcode", - "note": "This rule requires the Zoom Filebeat module.", - "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and event.action:meeting.created and not zoom.meeting.password:*", - "references": [ - "https://blog.zoom.us/a-message-to-our-users/", - "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic" - ], - "risk_score": 47, - "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba", - "severity": "medium", - "tags": [ - "Elastic", - "Application", - "Communication", - "Zoom", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.", + "index": [ + "filebeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Zoom Meeting with no Passcode", + "note": "This rule requires the Zoom Filebeat module.", + "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and event.action:meeting.created and not zoom.meeting.password:*", + "references": [ + "https://blog.zoom.us/a-message-to-our-users/", + "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic" + ], + "risk_score": 47, + "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba", + "severity": "medium", + "tags": [ + "Elastic", + "Application", + "Communication", + "Zoom", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-58bc134c-e8d2-4291-a552-b4b3e537c60b.json b/packages/security_detection_engine/kibana/security_rule/rule-58bc134c-e8d2-4291-a552-b4b3e537c60b.json index bc275187b23..c343698defe 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-58bc134c-e8d2-4291-a552-b4b3e537c60b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-58bc134c-e8d2-4291-a552-b4b3e537c60b.json @@ -1,45 +1,49 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Lateral Tool Transfer", - "query": "sequence by host.id with maxspan=30s\n [network where event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n network.direction == \"incoming\" and network.transport == \"tcp\" and\n source.address != \"127.0.0.1\" and source.address != \"::1\"\n ] by process.entity_id\n /* add more executable extensions here if they are not noisy in your environment */\n [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\")] by process.entity_id\n", - "risk_score": 47, - "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1570", - "name": "Lateral Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1570/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Lateral Tool Transfer", + "query": "sequence by host.id with maxspan=30s\n [network where event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n network.direction == \"incoming\" and network.transport == \"tcp\" and\n source.address != \"127.0.0.1\" and source.address != \"::1\"\n ] by process.entity_id\n /* add more executable extensions here if they are not noisy in your environment */\n [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\")] by process.entity_id\n", + "risk_score": 47, + "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1570", + "name": "Lateral Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1570/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-594e0cbf-86cc-45aa-9ff7-ff27db27d3ed.json b/packages/security_detection_engine/kibana/security_rule/rule-594e0cbf-86cc-45aa-9ff7-ff27db27d3ed.json index 299442aafba..5aa1dd56538 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-594e0cbf-86cc-45aa-9ff7-ff27db27d3ed.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-594e0cbf-86cc-45aa-9ff7-ff27db27d3ed.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.", - "false_positives": [ - "Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudTrail Log Created", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success", - "references": [ - "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html" - ], - "risk_score": 21, - "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1530", - "name": "Data from Cloud Storage Object", - "reference": "https://attack.mitre.org/techniques/T1530/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.", + "false_positives": [ + "Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudTrail Log Created", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success", + "references": [ + "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html" + ], + "risk_score": 21, + "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage Object", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-59756272-1998-4b8c-be14-e287035c4d10.json b/packages/security_detection_engine/kibana/security_rule/rule-59756272-1998-4b8c-be14-e287035c4d10.json index 68c014970e5..cefe4777515 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-59756272-1998-4b8c-be14-e287035c4d10.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-59756272-1998-4b8c-be14-e287035c4d10.json @@ -1,44 +1,48 @@ { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.", - "false_positives": [ - "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "linux_system_user_discovery", - "name": "Unusual Linux System Owner or User Discovery Activity", - "risk_score": 21, - "rule_id": "59756272-1998-4b8c-be14-e287035c4d10", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1033", - "name": "System Owner/User Discovery", - "reference": "https://attack.mitre.org/techniques/T1033/" - } - ] - } - ], - "type": "machine_learning", - "version": 2 + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "linux_system_user_discovery", + "name": "Unusual Linux System Owner or User Discovery Activity", + "risk_score": 21, + "rule_id": "59756272-1998-4b8c-be14-e287035c4d10", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "type": "machine_learning", + "version": 2 + }, + "id": "59756272-1998-4b8c-be14-e287035c4d10", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-5a14d01d-7ac8-4545-914c-b687c2cf66b3.json b/packages/security_detection_engine/kibana/security_rule/rule-5a14d01d-7ac8-4545-914c-b687c2cf66b3.json index 972d541b94f..b64a034cb73 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-5a14d01d-7ac8-4545-914c-b687c2cf66b3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-5a14d01d-7ac8-4545-914c-b687c2cf66b3.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "query": "file where event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", - "references": [ - "https://github.com/hfiref0x/UACME" - ], - "risk_score": 73, - "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Access Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", + "query": "file where event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", + "references": [ + "https://github.com/hfiref0x/UACME" + ], + "risk_score": 73, + "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Access Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc.json b/packages/security_detection_engine/kibana/security_rule/rule-5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc.json index 70c02bb052d..267a9a7bf8e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Detects use of the systemsetup command to enable remote SSH Login.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Remote SSH Login Enabled via systemsetup Command", - "query": "event.category:process and event.type:(start or process_started) and process.name:systemsetup and process.args:(\"-setremotelogin\" and on)", - "references": [ - "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", - "https://ss64.com/osx/systemsetup.html", - "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac" - ], - "risk_score": 47, - "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects use of the systemsetup command to enable remote SSH Login.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Remote SSH Login Enabled via systemsetup Command", + "query": "event.category:process and event.type:(start or process_started) and process.name:systemsetup and process.args:(\"-setremotelogin\" and on)", + "references": [ + "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", + "https://ss64.com/osx/systemsetup.html", + "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac" + ], + "risk_score": 47, + "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-5aee924b-6ceb-4633-980e-1bde8cdb40c5.json b/packages/security_detection_engine/kibana/security_rule/rule-5aee924b-6ceb-4633-980e-1bde8cdb40c5.json index 3e12e70ada5..3e76c83a043 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-5aee924b-6ceb-4633-980e-1bde8cdb40c5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-5aee924b-6ceb-4633-980e-1bde8cdb40c5.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Secure File Deletion via SDelete Utility", - "note": "Verify process details such as command line and hash to confirm this activity legitimacy.", - "query": "file where event.type == \"change\" and file.name : \"*AAA.AAA\"\n", - "risk_score": 21, - "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.004", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1070/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Secure File Deletion via SDelete Utility", + "note": "Verify process details such as command line and hash to confirm this activity legitimacy.", + "query": "file where event.type == \"change\" and file.name : \"*AAA.AAA\"\n", + "risk_score": 21, + "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-5b03c9fb-9945-4d2f-9568-fd690fee3fba.json b/packages/security_detection_engine/kibana/security_rule/rule-5b03c9fb-9945-4d2f-9568-fd690fee3fba.json index ef486c08f16..a599f84805c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-5b03c9fb-9945-4d2f-9568-fd690fee3fba.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-5b03c9fb-9945-4d2f-9568-fd690fee3fba.json @@ -1,48 +1,52 @@ { - "author": [ - "Elastic" - ], - "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", - "false_positives": [ - "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Virtual Machine Fingerprinting", - "query": "event.category:process and event.type:(start or process_started) and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root", - "risk_score": 73, - "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", + "false_positives": [ + "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Virtual Machine Fingerprinting", + "query": "event.category:process and event.type:(start or process_started) and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root", + "risk_score": 73, + "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-5bb4a95d-5a08-48eb-80db-4c3a63ec78a8.json b/packages/security_detection_engine/kibana/security_rule/rule-5bb4a95d-5a08-48eb-80db-4c3a63ec78a8.json index 41713b2c117..a19926c4fb2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-5bb4a95d-5a08-48eb-80db-4c3a63ec78a8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-5bb4a95d-5a08-48eb-80db-4c3a63ec78a8.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious PrintSpooler Service Executable File Creation", - "query": "event.category:file and not event.type:deletion and process.name:spoolsv.exe and file.extension:(exe or dll) and not file.path:(C\\:\\\\Windows\\\\System32\\\\spool\\\\* or C\\:\\\\Windows\\\\Temp\\\\* or C\\:\\\\Users\\\\*)", - "references": [ - "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", - "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files" - ], - "risk_score": 73, - "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious PrintSpooler Service Executable File Creation", + "query": "event.category:file and not event.type:deletion and process.name:spoolsv.exe and file.extension:(exe or dll) and not file.path:(C\\:\\\\Windows\\\\System32\\\\spool\\\\* or C\\:\\\\Windows\\\\Temp\\\\* or C\\:\\\\Users\\\\*)", + "references": [ + "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", + "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files" + ], + "risk_score": 73, + "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-5beaebc1-cc13-4bfc-9949-776f9e0dc318.json b/packages/security_detection_engine/kibana/security_rule/rule-5beaebc1-cc13-4bfc-9949-776f9e0dc318.json index 48492b80a3b..dbe9a3dbfb7 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-5beaebc1-cc13-4bfc-9949-776f9e0dc318.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-5beaebc1-cc13-4bfc-9949-776f9e0dc318.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.", - "false_positives": [ - "WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS WAF Rule or Rule Group Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html", - "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html" - ], - "risk_score": 47, - "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Network Security" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.", + "false_positives": [ + "WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS WAF Rule or Rule Group Deletion", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html", + "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html" + ], + "risk_score": 47, + "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-5c983105-4681-46c3-9890-0c66d05e776b.json b/packages/security_detection_engine/kibana/security_rule/rule-5c983105-4681-46c3-9890-0c66d05e776b.json index e0e8e796ea8..5bae104d135 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-5c983105-4681-46c3-9890-0c66d05e776b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-5c983105-4681-46c3-9890-0c66d05e776b.json @@ -1,44 +1,48 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", - "false_positives": [ - "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "linux_system_process_discovery", - "name": "Unusual Linux Process Discovery Activity", - "risk_score": 21, - "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1057", - "name": "Process Discovery", - "reference": "https://attack.mitre.org/techniques/T1057/" - } - ] - } - ], - "type": "machine_learning", - "version": 2 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "linux_system_process_discovery", + "name": "Unusual Linux Process Discovery Activity", + "risk_score": 21, + "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "type": "machine_learning", + "version": 2 + }, + "id": "5c983105-4681-46c3-9890-0c66d05e776b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-5cd55388-a19c-47c7-8ec4-f41656c2fded.json b/packages/security_detection_engine/kibana/security_rule/rule-5cd55388-a19c-47c7-8ec4-f41656c2fded.json index d55e8028d4d..87732d84ce6 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-5cd55388-a19c-47c7-8ec4-f41656c2fded.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-5cd55388-a19c-47c7-8ec4-f41656c2fded.json @@ -1,51 +1,55 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", - "false_positives": [ - "Legitimate scheduled tasks may be created during installation of new software." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Outbound Scheduled Task Activity via PowerShell", - "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"powershell.exe\", \"pwsh.exe\")]\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", - "references": [ - "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" - ], - "risk_score": 47, - "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Outbound Scheduled Task Activity via PowerShell", + "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"powershell.exe\", \"pwsh.exe\")]\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" + ], + "risk_score": 47, + "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json b/packages/security_detection_engine/kibana/security_rule/rule-5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json index dd6102e188e..fe92f592373 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json @@ -1,57 +1,61 @@ { - "author": [ - "Elastic", - "Skoetting" - ], - "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "User Added to Privileged Group in Active Directory", - "query": "event.category:iam and event.action:\"added-member-to-group\" and group.name:(Administrators or \"Local Administrators\" or \"Domain Admins\" or \"Enterprise Admins\" or \"Backup Admins\" or \"Schema Admins\" or \"DnsAdmins\")", - "references": [ - "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory" - ], - "risk_score": 21, - "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/", - "subtechnique": [ - { - "id": "T1136.001", - "name": "Local Account", - "reference": "https://attack.mitre.org/techniques/T1136/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic", + "Skoetting" + ], + "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "User Added to Privileged Group in Active Directory", + "query": "event.category:iam and event.action:\"added-member-to-group\" and group.name:(Administrators or \"Local Administrators\" or \"Domain Admins\" or \"Enterprise Admins\" or \"Backup Admins\" or \"Schema Admins\" or \"DnsAdmins\")", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory" + ], + "risk_score": 21, + "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-5d0265bf-dea9-41a9-92ad-48a8dcd05080.json b/packages/security_detection_engine/kibana/security_rule/rule-5d0265bf-dea9-41a9-92ad-48a8dcd05080.json index 30b045c7cb0..c0aebaae0f4 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-5d0265bf-dea9-41a9-92ad-48a8dcd05080.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-5d0265bf-dea9-41a9-92ad-48a8dcd05080.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via Login or Logout Hook", - "query": "process where event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args in (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n (\n \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n )\n", - "references": [ - "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", - "https://www.manpagez.com/man/1/defaults/" - ], - "risk_score": 47, - "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1037", - "name": "Boot or Logon Initialization Scripts", - "reference": "https://attack.mitre.org/techniques/T1037/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Login or Logout Hook", + "query": "process where event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args in (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n (\n \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n )\n", + "references": [ + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", + "https://www.manpagez.com/man/1/defaults/" + ], + "risk_score": 47, + "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-5d1d6907-0747-4d5d-9b24-e4a18853dc0a.json b/packages/security_detection_engine/kibana/security_rule/rule-5d1d6907-0747-4d5d-9b24-e4a18853dc0a.json index 3a95398b4cf..4ede3ff0610 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-5d1d6907-0747-4d5d-9b24-e4a18853dc0a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-5d1d6907-0747-4d5d-9b24-e4a18853dc0a.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.", - "false_positives": [ - "Legitimate scheduled tasks running third party software." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Execution via Scheduled Task", - "query": "process where event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\", \n \"C:\\\\Windows\\\\Temp\\\\*\", \n \"C:\\\\Windows\\\\Tasks\\\\*\", \n \"C:\\\\PerfLogs\\\\*\", \n \"C:\\\\Intel\\\\*\", \n \"C:\\\\Windows\\\\Debug\\\\*\", \n \"C:\\\\HP\\\\*\")\n", - "risk_score": 47, - "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.", + "false_positives": [ + "Legitimate scheduled tasks running third party software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution via Scheduled Task", + "query": "process where event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\", \n \"C:\\\\Windows\\\\Temp\\\\*\", \n \"C:\\\\Windows\\\\Tasks\\\\*\", \n \"C:\\\\PerfLogs\\\\*\", \n \"C:\\\\Intel\\\\*\", \n \"C:\\\\Windows\\\\Debug\\\\*\", \n \"C:\\\\HP\\\\*\")\n", + "risk_score": 47, + "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-5d9f8cfc-0d03-443e-a167-2b0597ce0965.json b/packages/security_detection_engine/kibana/security_rule/rule-5d9f8cfc-0d03-443e-a167-2b0597ce0965.json index 30d2ff8c2a2..bc7bad81f2e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-5d9f8cfc-0d03-443e-a167-2b0597ce0965.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-5d9f8cfc-0d03-443e-a167-2b0597ce0965.json @@ -1,47 +1,51 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Automator Workflows Execution", - "query": "sequence by host.id with maxspan=30s\n [process where event.type in (\"start\", \"process_started\") and process.name == \"automator\"]\n [network where process.name:\"com.apple.automator.runner\"]\n", - "references": [ - "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" - ], - "risk_score": 47, - "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Automator Workflows Execution", + "query": "sequence by host.id with maxspan=30s\n [process where event.type in (\"start\", \"process_started\") and process.name == \"automator\"]\n [network where process.name:\"com.apple.automator.runner\"]\n", + "references": [ + "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" + ], + "risk_score": 47, + "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-5e552599-ddec-4e14-bad1-28aa42404388.json b/packages/security_detection_engine/kibana/security_rule/rule-5e552599-ddec-4e14-bad1-28aa42404388.json index 590878ca20b..ff54d1311f0 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-5e552599-ddec-4e14-bad1-28aa42404388.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-5e552599-ddec-4e14-bad1-28aa42404388.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.", - "false_positives": [ - "Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Teams Guest Access Enabled", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and event.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and o365.audit.Parameters.AllowGuestUser:True and event.outcome:success", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps" - ], - "risk_score": 47, - "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.", + "false_positives": [ + "Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams Guest Access Enabled", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and event.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and o365.audit.Parameters.AllowGuestUser:True and event.outcome:success", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps" + ], + "risk_score": 47, + "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "5e552599-ddec-4e14-bad1-28aa42404388", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-60884af6-f553-4a6c-af13-300047455491.json b/packages/security_detection_engine/kibana/security_rule/rule-60884af6-f553-4a6c-af13-300047455491.json index df1f35fdeeb..c2413f153d4 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-60884af6-f553-4a6c-af13-300047455491.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-60884af6-f553-4a6c-af13-300047455491.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.", - "false_positives": [ - "Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Command Execution on Virtual Machine", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" and event.outcome:(Success or success)", - "references": [ - "https://adsecurity.org/?p=4277", - "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor" - ], - "risk_score": 47, - "rule_id": "60884af6-f553-4a6c-af13-300047455491", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.", + "false_positives": [ + "Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Command Execution on Virtual Machine", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" and event.outcome:(Success or success)", + "references": [ + "https://adsecurity.org/?p=4277", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor" + ], + "risk_score": 47, + "rule_id": "60884af6-f553-4a6c-af13-300047455491", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "60884af6-f553-4a6c-af13-300047455491", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json b/packages/security_detection_engine/kibana/security_rule/rule-60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json index 6771b8e2058..3403a8ad202 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json @@ -1,61 +1,65 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.", - "false_positives": [ - "A service principal may be created by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Service Principal Addition", - "note": "The Azure Fleet Integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)", - "references": [ - "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", - "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal" - ], - "risk_score": 47, - "rule_id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1550", - "name": "Use Alternate Authentication Material", - "reference": "https://attack.mitre.org/techniques/T1550/", - "subtechnique": [ - { - "id": "T1550.001", - "name": "Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1550/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.", + "false_positives": [ + "A service principal may be created by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Service Principal Addition", + "note": "The Azure Fleet Integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)", + "references": [ + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", + "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal" + ], + "risk_score": 47, + "rule_id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-60f3adec-1df9-4104-9c75-b97d9f078b25.json b/packages/security_detection_engine/kibana/security_rule/rule-60f3adec-1df9-4104-9c75-b97d9f078b25.json index e7f9f7288d5..43ba1835f41 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-60f3adec-1df9-4104-9c75-b97d9f078b25.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-60f3adec-1df9-4104-9c75-b97d9f078b25.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.", - "false_positives": [ - "A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange DLP Policy Removed", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", - "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide" - ], - "risk_score": 47, - "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.", + "false_positives": [ + "A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange DLP Policy Removed", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide" + ], + "risk_score": 47, + "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "60f3adec-1df9-4104-9c75-b97d9f078b25", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-610949a1-312f-4e04-bb55-3a79b8c95267.json b/packages/security_detection_engine/kibana/security_rule/rule-610949a1-312f-4e04-bb55-3a79b8c95267.json index 981cec4ed85..c3c50749e4f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-610949a1-312f-4e04-bb55-3a79b8c95267.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-610949a1-312f-4e04-bb55-3a79b8c95267.json @@ -1,45 +1,49 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Process Network Connection", - "query": "sequence by process.entity_id\n [process where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\") and\n event.type == \"start\"]\n [network where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\")]\n", - "risk_score": 21, - "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "eql", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Process Network Connection", + "query": "sequence by process.entity_id\n [process where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\") and\n event.type == \"start\"]\n [network where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\")]\n", + "risk_score": 21, + "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "eql", + "version": 7 + }, + "id": "610949a1-312f-4e04-bb55-3a79b8c95267", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-61c31c14-507f-4627-8c31-072556b89a9c.json b/packages/security_detection_engine/kibana/security_rule/rule-61c31c14-507f-4627-8c31-072556b89a9c.json index da5fb1232fa..4482a74336e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-61c31c14-507f-4627-8c31-072556b89a9c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-61c31c14-507f-4627-8c31-072556b89a9c.json @@ -1,33 +1,37 @@ { - "author": [ - "Elastic" - ], - "description": "The Linux mknod program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. It is used to export a command shell when the traditional version of netcat is not available to the payload.", - "false_positives": [ - "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Mknod Process Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:mknod", - "references": [ - "https://web.archive.org/web/20191218024607/https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/" - ], - "risk_score": 21, - "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Linux mknod program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. It is used to export a command shell when the traditional version of netcat is not available to the payload.", + "false_positives": [ + "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Mknod Process Activity", + "query": "event.category:process and event.type:(start or process_started) and process.name:mknod", + "references": [ + "https://web.archive.org/web/20191218024607/https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/" + ], + "risk_score": 21, + "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "61c31c14-507f-4627-8c31-072556b89a9c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-622ecb68-fa81-4601-90b5-f8cd661e4520.json b/packages/security_detection_engine/kibana/security_rule/rule-622ecb68-fa81-4601-90b5-f8cd661e4520.json index 5891c776a0c..56787ceb56e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-622ecb68-fa81-4601-90b5-f8cd661e4520.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-622ecb68-fa81-4601-90b5-f8cd661e4520.json @@ -1,48 +1,52 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evading detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Incoming DCOM Lateral Movement via MSHTA", - "query": "sequence with maxspan=1m\n [process where event.type in (\"start\", \"process_started\") and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where event.type == \"start\" and process.name : \"mshta.exe\" and \n network.direction == \"incoming\" and network.transport == \"tcp\" and\n source.port \u003e 49151 and destination.port \u003e 49151 and not source.address in (\"127.0.0.1\", \"::1\")\n ] by host.id, process.entity_id\n", - "references": [ - "https://codewhitesec.blogspot.com/2018/07/lethalhta.html" - ], - "risk_score": 73, - "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evading detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming DCOM Lateral Movement via MSHTA", + "query": "sequence with maxspan=1m\n [process where event.type in (\"start\", \"process_started\") and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where event.type == \"start\" and process.name : \"mshta.exe\" and \n network.direction == \"incoming\" and network.transport == \"tcp\" and\n source.port \u003e 49151 and destination.port \u003e 49151 and not source.address in (\"127.0.0.1\", \"::1\")\n ] by host.id, process.entity_id\n", + "references": [ + "https://codewhitesec.blogspot.com/2018/07/lethalhta.html" + ], + "risk_score": 73, + "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "622ecb68-fa81-4601-90b5-f8cd661e4520", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-63e65ec3-43b1-45b0-8f2d-45b34291dc44.json b/packages/security_detection_engine/kibana/security_rule/rule-63e65ec3-43b1-45b0-8f2d-45b34291dc44.json index b6c3bb0c625..49f1d40ce39 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-63e65ec3-43b1-45b0-8f2d-45b34291dc44.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-63e65ec3-43b1-45b0-8f2d-45b34291dc44.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Network Connection via Signed Binary", - "query": "sequence by process.entity_id\n [process where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", - "risk_score": 21, - "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Signed Binary", + "query": "sequence by process.entity_id\n [process where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", + "risk_score": 21, + "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] }, - "technique": [ - { - "id": "T1218", - "name": "Signed Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - } - ], - "type": "eql", - "version": 7 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 7 + }, + "id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-647fc812-7996-4795-8869-9c4ea595fe88.json b/packages/security_detection_engine/kibana/security_rule/rule-647fc812-7996-4795-8869-9c4ea595fe88.json index b01c8285695..da302de815d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-647fc812-7996-4795-8869-9c4ea595fe88.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-647fc812-7996-4795-8869-9c4ea595fe88.json @@ -1,31 +1,35 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "linux_anomalous_process_all_hosts_ecs", - "name": "Anomalous Process For a Linux Population", - "note": "### Investigating an Unusual Linux Process ###\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "linux_anomalous_process_all_hosts_ecs", + "name": "Anomalous Process For a Linux Population", + "note": "### Investigating an Unusual Linux Process ###\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "647fc812-7996-4795-8869-9c4ea595fe88", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-6482255d-f468-45ea-a5b3-d3a7de1331ae.json b/packages/security_detection_engine/kibana/security_rule/rule-6482255d-f468-45ea-a5b3-d3a7de1331ae.json index 9811f0a5223..6dc12b6177b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-6482255d-f468-45ea-a5b3-d3a7de1331ae.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-6482255d-f468-45ea-a5b3-d3a7de1331ae.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Modification of Safari Settings via Defaults Command", - "query": "event.category:process and event.type:start and process.name:defaults and process.args: (com.apple.Safari and write and not ( UniversalSearchEnabled or SuppressSearchSuggestions or WebKitTabToLinksPreferenceKey or ShowFullURLInSmartSearchField or com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks ) )", - "references": [ - "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" - ], - "risk_score": 47, - "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Safari Settings via Defaults Command", + "query": "event.category:process and event.type:start and process.name:defaults and process.args: (com.apple.Safari and write and not ( UniversalSearchEnabled or SuppressSearchSuggestions or WebKitTabToLinksPreferenceKey or ShowFullURLInSmartSearchField or com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks ) )", + "references": [ + "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" + ], + "risk_score": 47, + "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "6482255d-f468-45ea-a5b3-d3a7de1331ae", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-661545b4-1a90-4f45-85ce-2ebd7c6a15d0.json b/packages/security_detection_engine/kibana/security_rule/rule-661545b4-1a90-4f45-85ce-2ebd7c6a15d0.json index b4b2b41f601..682205e1b86 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-661545b4-1a90-4f45-85ce-2ebd7c6a15d0.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-661545b4-1a90-4f45-85ce-2ebd7c6a15d0.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Attempt to Mount SMB Share via Command Line", - "query": "process where event.type in (\"start\", \"process_started\") and\n (\n process.name : \"mount_smbfs\" or\n (process.name : \"open\" and process.args : \"smb://*\") or\n (process.name : \"mount\" and process.args : \"smbfs\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n )\n", - "references": [ - "https://www.freebsd.org/cgi/man.cgi?mount_smbfs", - "https://ss64.com/osx/mount.html" - ], - "risk_score": 21, - "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.002", - "name": "SMB/Windows Admin Shares", - "reference": "https://attack.mitre.org/techniques/T1021/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Mount SMB Share via Command Line", + "query": "process where event.type in (\"start\", \"process_started\") and\n (\n process.name : \"mount_smbfs\" or\n (process.name : \"open\" and process.args : \"smb://*\") or\n (process.name : \"mount\" and process.args : \"smbfs\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n )\n", + "references": [ + "https://www.freebsd.org/cgi/man.cgi?mount_smbfs", + "https://ss64.com/osx/mount.html" + ], + "risk_score": 21, + "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-665e7a4f-c58e-4fc6-bc83-87a7572670ac.json b/packages/security_detection_engine/kibana/security_rule/rule-665e7a4f-c58e-4fc6-bc83-87a7572670ac.json index a01aeb87994..da054468bdf 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-665e7a4f-c58e-4fc6-bc83-87a7572670ac.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-665e7a4f-c58e-4fc6-bc83-87a7572670ac.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "WebServer Access Logs Deleted", - "query": "file where event.type == \"deletion\" and\n file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\", \n \"/var/log/apache*/access.log\",\n \"/etc/httpd/logs/access_log\", \n \"/var/log/httpd/access_log\", \n \"/var/www/*/logs/access.log\")\n", - "risk_score": 47, - "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Windows", - "macOS", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "WebServer Access Logs Deleted", + "query": "file where event.type == \"deletion\" and\n file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\", \n \"/var/log/apache*/access.log\",\n \"/etc/httpd/logs/access_log\", \n \"/var/log/httpd/access_log\", \n \"/var/www/*/logs/access.log\")\n", + "risk_score": 47, + "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Windows", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-66883649-f908-4a5b-a1e0-54090a1d3a32.json b/packages/security_detection_engine/kibana/security_rule/rule-66883649-f908-4a5b-a1e0-54090a1d3a32.json index 54ca696bf69..f790ce27b00 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-66883649-f908-4a5b-a1e0-54090a1d3a32.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-66883649-f908-4a5b-a1e0-54090a1d3a32.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries may implement command and control communications that use common web services in order to hide their activity. This attack technique is typically targeted to an organization and uses web services common to the victim network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically targeted since they have most likely been used before a compromise and allow adversaries to blend in the network.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Connection to Commonly Abused Web Services", - "query": "network where network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"C:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"C:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n )\n", - "risk_score": 21, - "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1102", - "name": "Web Service", - "reference": "https://attack.mitre.org/techniques/T1102/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may implement command and control communications that use common web services in order to hide their activity. This attack technique is typically targeted to an organization and uses web services common to the victim network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically targeted since they have most likely been used before a compromise and allow adversaries to blend in the network.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to Commonly Abused Web Services", + "query": "network where network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"C:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"C:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n )\n", + "risk_score": 21, + "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1102", + "name": "Web Service", + "reference": "https://attack.mitre.org/techniques/T1102/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "66883649-f908-4a5b-a1e0-54090a1d3a32", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-66da12b1-ac83-40eb-814c-07ed1d82b7b9.json b/packages/security_detection_engine/kibana/security_rule/rule-66da12b1-ac83-40eb-814c-07ed1d82b7b9.json index 294cb7cd35a..8b2bf07c240 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-66da12b1-ac83-40eb-814c-07ed1d82b7b9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-66da12b1-ac83-40eb-814c-07ed1d82b7b9.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious macOS MS Office Child Process", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n \"bash\", \n \"dash\", \n \"sh\", \n \"tcsh\", \n \"csh\", \n \"zsh\", \n \"ksh\", \n \"fish\", \n \"python*\", \n \"perl*\", \n \"php*\", \n \"osascript\",\n \"pwsh\", \n \"curl\", \n \"wget\", \n \"cp\", \n \"mv\", \n \"base64\", \n \"launchctl\"\n ) and\n /* noisy false positives related to product version discovery and office errors reporting */\n not process.args:\n (\n \"ProductVersion\",\n \"hw.model\",\n \"ioreg\",\n \"ProductName\",\n \"ProductUserVisibleVersion\",\n \"ProductBuildVersion\",\n \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\"\n )\n", - "references": [ - "https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/" - ], - "risk_score": 47, - "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious macOS MS Office Child Process", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n \"bash\", \n \"dash\", \n \"sh\", \n \"tcsh\", \n \"csh\", \n \"zsh\", \n \"ksh\", \n \"fish\", \n \"python*\", \n \"perl*\", \n \"php*\", \n \"osascript\",\n \"pwsh\", \n \"curl\", \n \"wget\", \n \"cp\", \n \"mv\", \n \"base64\", \n \"launchctl\"\n ) and\n /* noisy false positives related to product version discovery and office errors reporting */\n not process.args:\n (\n \"ProductVersion\",\n \"hw.model\",\n \"ioreg\",\n \"ProductName\",\n \"ProductUserVisibleVersion\",\n \"ProductBuildVersion\",\n \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\"\n )\n", + "references": [ + "https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/" + ], + "risk_score": 47, + "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json b/packages/security_detection_engine/kibana/security_rule/rule-6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json index 332717d396d..98e0d8e048b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json @@ -1,36 +1,40 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Modify an Okta Policy", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:policy.lifecycle.update", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 21, - "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", - "severity": "low", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Policy", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:policy.lifecycle.update", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 21, + "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json b/packages/security_detection_engine/kibana/security_rule/rule-676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json index e6bf6fc4933..738289a0d11 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.", - "false_positives": [ - "If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Revoke Okta API Token", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:system.api_token.revoke", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 21, - "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", - "severity": "low", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.", + "false_positives": [ + "If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Revoke Okta API Token", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:system.api_token.revoke", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 21, + "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-67a9beba-830d-4035-bfe8-40b7e28f8ac4.json b/packages/security_detection_engine/kibana/security_rule/rule-67a9beba-830d-4035-bfe8-40b7e28f8ac4.json index 0a66a5589d0..70e0a7aa89b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-67a9beba-830d-4035-bfe8-40b7e28f8ac4.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-67a9beba-830d-4035-bfe8-40b7e28f8ac4.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects events that may describe SMTP traffic from internal hosts to a host across the Internet. In an enterprise network, there is typically a dedicated internal host that performs this function. It is also frequently abused by threat actors for command and control, or data exfiltration.", - "false_positives": [ - "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SMTP to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(25 or 465 or 587) or event.dataset:zeek.smtp) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 21, - "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects events that may describe SMTP traffic from internal hosts to a host across the Internet. In an enterprise network, there is typically a dedicated internal host that performs this function. It is also frequently abused by threat actors for command and control, or data exfiltration.", + "false_positives": [ + "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SMTP to the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(25 or 465 or 587) or event.dataset:zeek.smtp) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", + "risk_score": 21, + "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-68113fdc-3105-4cdd-85bb-e643c416ef0b.json b/packages/security_detection_engine/kibana/security_rule/rule-68113fdc-3105-4cdd-85bb-e643c416ef0b.json index 99ea067507f..aeb0e436db8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-68113fdc-3105-4cdd-85bb-e643c416ef0b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-68113fdc-3105-4cdd-85bb-e643c416ef0b.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Enumeration or discovery of the Windows registry using reg.exe. This information can be used to perform follow-on activities.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Query Registry via reg.exe", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"reg.exe\" or process.pe.original_file_name == \"reg.exe\") and\n process.args == \"query\"\n", - "risk_score": 21, - "rule_id": "68113fdc-3105-4cdd-85bb-e643c416ef0b", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1012", - "name": "Query Registry", - "reference": "https://attack.mitre.org/techniques/T1012/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Enumeration or discovery of the Windows registry using reg.exe. This information can be used to perform follow-on activities.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Query Registry via reg.exe", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"reg.exe\" or process.pe.original_file_name == \"reg.exe\") and\n process.args == \"query\"\n", + "risk_score": 21, + "rule_id": "68113fdc-3105-4cdd-85bb-e643c416ef0b", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1012", + "name": "Query Registry", + "reference": "https://attack.mitre.org/techniques/T1012/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "68113fdc-3105-4cdd-85bb-e643c416ef0b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-6839c821-011d-43bd-bd5b-acff00257226.json b/packages/security_detection_engine/kibana/security_rule/rule-6839c821-011d-43bd-bd5b-acff00257226.json index 79f183d652a..53892675ea1 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-6839c821-011d-43bd-bd5b-acff00257226.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-6839c821-011d-43bd-bd5b-acff00257226.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Image File Execution Options Injection", - "query": "registry where length(registry.data.strings) \u003e 0 and\n registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\", \n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\", \n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\", \n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\") and\n /* add FPs here */\n not registry.data.strings : (\"C:\\\\Program Files*\\\\ThinKiosk\\\\thinkiosk.exe\", \"*\\\\PSAppDeployToolkit\\\\*\")\n", - "references": [ - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" - ], - "risk_score": 41, - "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.012", - "name": "Image File Execution Options Injection", - "reference": "https://attack.mitre.org/techniques/T1546/012/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Image File Execution Options Injection", + "query": "registry where length(registry.data.strings) \u003e 0 and\n registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\", \n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\", \n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\", \n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\") and\n /* add FPs here */\n not registry.data.strings : (\"C:\\\\Program Files*\\\\ThinKiosk\\\\thinkiosk.exe\", \"*\\\\PSAppDeployToolkit\\\\*\")\n", + "references": [ + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" + ], + "risk_score": 41, + "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.012", + "name": "Image File Execution Options Injection", + "reference": "https://attack.mitre.org/techniques/T1546/012/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "6839c821-011d-43bd-bd5b-acff00257226", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json b/packages/security_detection_engine/kibana/security_rule/rule-6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json index 209a620381a..7a5f9ff940b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json @@ -1,33 +1,37 @@ { - "author": [ - "Elastic" - ], - "description": "Detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential based attacks against their organization, such as brute force and password spraying attacks.", - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Threat Detected by Okta ThreatInsight", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:security.threat.detected", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 47, - "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", - "severity": "medium", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential based attacks against their organization, such as brute force and password spraying attacks.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Detected by Okta ThreatInsight", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:security.threat.detected", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 47, + "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-68921d85-d0dc-48b3-865f-43291ca2c4f2.json b/packages/security_detection_engine/kibana/security_rule/rule-68921d85-d0dc-48b3-865f-43291ca2c4f2.json index 420cac2bc14..f28671b6e43 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-68921d85-d0dc-48b3-865f-43291ca2c4f2.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-68921d85-d0dc-48b3-865f-43291ca2c4f2.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Persistence via TelemetryController Scheduled Task Hijack", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and process.args:-cv* and not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe or powershell.exe)", - "references": [ - "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/?utm_content=131234033\u0026utm_medium=social\u0026utm_source=twitter\u0026hss_channel=tw-403811306" - ], - "risk_score": 73, - "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Persistence via TelemetryController Scheduled Task Hijack", + "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and process.args:-cv* and not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe or powershell.exe)", + "references": [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/?utm_content=131234033\u0026utm_medium=social\u0026utm_source=twitter\u0026hss_channel=tw-403811306" + ], + "risk_score": 73, + "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-68994a6c-c7ba-4e82-b476-26a26877adf6.json b/packages/security_detection_engine/kibana/security_rule/rule-68994a6c-c7ba-4e82-b476-26a26877adf6.json index 6aeb0624d75..8104bf1a34d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-68994a6c-c7ba-4e82-b476-26a26877adf6.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-68994a6c-c7ba-4e82-b476-26a26877adf6.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Detects when an admin role is assigned to a Google Workspace user. An adversary may assign an admin role to a user in order to elevate the permissions of another user account and persist in their target\u2019s environment.", - "false_positives": [ - "Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Admin Role Assigned to a User", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", - "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE", - "references": [ - "https://support.google.com/a/answer/172176?hl=en" - ], - "risk_score": 47, - "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an admin role is assigned to a Google Workspace user. An adversary may assign an admin role to a user in order to elevate the permissions of another user account and persist in their target\u2019s environment.", + "false_positives": [ + "Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Admin Role Assigned to a User", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE", + "references": [ + "https://support.google.com/a/answer/172176?hl=en" + ], + "risk_score": 47, + "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "68994a6c-c7ba-4e82-b476-26a26877adf6", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-689b9d57-e4d5-4357-ad17-9c334609d79a.json b/packages/security_detection_engine/kibana/security_rule/rule-689b9d57-e4d5-4357-ad17-9c334609d79a.json index 32e3e9b48fb..4ff8c801a2a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-689b9d57-e4d5-4357-ad17-9c334609d79a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-689b9d57-e4d5-4357-ad17-9c334609d79a.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.", - "false_positives": [ - "Legitimate scheduled tasks may be created during installation of new software." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Scheduled Task Created by a Windows Script", - "note": "Decode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", - "query": "sequence by host.id with maxspan = 30s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\")]\n [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", - "risk_score": 47, - "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Scheduled Task Created by a Windows Script", + "note": "Decode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", + "query": "sequence by host.id with maxspan = 30s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\")]\n [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", + "risk_score": 47, + "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "689b9d57-e4d5-4357-ad17-9c334609d79a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json b/packages/security_detection_engine/kibana/security_rule/rule-68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json index 3a7abfe8683..cd238109161 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json @@ -1,77 +1,81 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudWatch Log Group Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeleteLogGroup and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", - "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html" - ], - "risk_score": 47, - "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudWatch Log Group Deletion", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:DeleteLogGroup and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", + "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html" + ], + "risk_score": 47, + "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] }, - "technique": [ - { - "id": "T1485", - "name": "Data Destruction", - "reference": "https://attack.mitre.org/techniques/T1485/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-68d56fdc-7ffa-4419-8e95-81641bd6f845.json b/packages/security_detection_engine/kibana/security_rule/rule-68d56fdc-7ffa-4419-8e95-81641bd6f845.json index 4aefe536e87..11f8632a261 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-68d56fdc-7ffa-4419-8e95-81641bd6f845.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-68d56fdc-7ffa-4419-8e95-81641bd6f845.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n", - "risk_score": 73, - "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Access Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n", + "risk_score": 73, + "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Access Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-69c251fb-a5d6-4035-b5ec-40438bd829ff.json b/packages/security_detection_engine/kibana/security_rule/rule-69c251fb-a5d6-4035-b5ec-40438bd829ff.json index 4909ee7faf0..7608a4d1fc8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-69c251fb-a5d6-4035-b5ec-40438bd829ff.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-69c251fb-a5d6-4035-b5ec-40438bd829ff.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Modification of Boot Configuration", - "query": "event.category:process and event.type:(start or process_started) and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))", - "risk_score": 21, - "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.004", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1070/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Boot Configuration", + "query": "event.category:process and event.type:(start or process_started) and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))", + "risk_score": 21, + "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-69c420e8-6c9e-4d28-86c0-8a2be2d1e78c.json b/packages/security_detection_engine/kibana/security_rule/rule-69c420e8-6c9e-4d28-86c0-8a2be2d1e78c.json index fc144b18a73..f6005a95bb5 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-69c420e8-6c9e-4d28-86c0-8a2be2d1e78c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-69c420e8-6c9e-4d28-86c0-8a2be2d1e78c.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Password Recovery Requested", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:PasswordRecoveryRequested and event.provider:signin.amazonaws.com and event.outcome:success", - "references": [ - "https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/" - ], - "risk_score": 21, - "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Password Recovery Requested", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:PasswordRecoveryRequested and event.provider:signin.amazonaws.com and event.outcome:success", + "references": [ + "https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/" + ], + "risk_score": 21, + "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-6a8ab9cc-4023-4d17-b5df-1a3e16882ce7.json b/packages/security_detection_engine/kibana/security_rule/rule-6a8ab9cc-4023-4d17-b5df-1a3e16882ce7.json index 95f845c18c1..810888bfce2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-6a8ab9cc-4023-4d17-b5df-1a3e16882ce7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-6a8ab9cc-4023-4d17-b5df-1a3e16882ce7.json @@ -1,72 +1,76 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.", - "false_positives": [ - "Changes to Windows services or a rarely executed child process." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Service Host Child Process - Childless Service", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n /* unknown FPs can be added here */\n\n not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\")\n", - "risk_score": 47, - "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.", + "false_positives": [ + "Changes to Windows services or a rarely executed child process." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Service Host Child Process - Childless Service", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n /* unknown FPs can be added here */\n\n not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\")\n", + "risk_score": 47, + "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.012", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1055/012/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/", - "subtechnique": [ - { - "id": "T1055.012", - "name": "Process Hollowing", - "reference": "https://attack.mitre.org/techniques/T1055/012/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-6aace640-e631-4870-ba8e-5fdda09325db.json b/packages/security_detection_engine/kibana/security_rule/rule-6aace640-e631-4870-ba8e-5fdda09325db.json index d3c05e180b6..0105792ebe4 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-6aace640-e631-4870-ba8e-5fdda09325db.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-6aace640-e631-4870-ba8e-5fdda09325db.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", - "false_positives": [ - "Legitimate exchange system administration activity." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Exporting Exchange Mailbox via PowerShell", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"New-MailboxExportRequest*\"\n", - "references": [ - "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", - "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps" - ], - "risk_score": 47, - "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Collection" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1114", - "name": "Email Collection", - "reference": "https://attack.mitre.org/techniques/T1114/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", + "false_positives": [ + "Legitimate exchange system administration activity." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Exporting Exchange Mailbox via PowerShell", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"New-MailboxExportRequest*\"\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps" + ], + "risk_score": 47, + "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Collection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "6aace640-e631-4870-ba8e-5fdda09325db", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-6b84d470-9036-4cc0-a27c-6d90bbfe81ab.json b/packages/security_detection_engine/kibana/security_rule/rule-6b84d470-9036-4cc0-a27c-6d90bbfe81ab.json index 9e43a0e13b1..598d01829cd 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-6b84d470-9036-4cc0-a27c-6d90bbfe81ab.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-6b84d470-9036-4cc0-a27c-6d90bbfe81ab.json @@ -1,78 +1,82 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Sensitive Files Compression", - "query": "event.category:process and event.type:start and process.name:(zip or tar or gzip or hdiutil or 7z) and process.args: ( /root/.ssh/id_rsa or /root/.ssh/id_rsa.pub or /root/.ssh/id_ed25519 or /root/.ssh/id_ed25519.pub or /root/.ssh/authorized_keys or /root/.ssh/authorized_keys2 or /root/.ssh/known_hosts or /root/.bash_history or /etc/hosts or /home/*/.ssh/id_rsa or /home/*/.ssh/id_rsa.pub or /home/*/.ssh/id_ed25519 or /home/*/.ssh/id_ed25519.pub or /home/*/.ssh/authorized_keys or /home/*/.ssh/authorized_keys2 or /home/*/.ssh/known_hosts or /home/*/.bash_history or /root/.aws/credentials or /root/.aws/config or /home/*/.aws/credentials or /home/*/.aws/config or /root/.docker/config.json or /home/*/.docker/config.json or /etc/group or /etc/passwd or /etc/shadow or /etc/gshadow )", - "references": [ - "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html" - ], - "risk_score": 47, - "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Collection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Sensitive Files Compression", + "query": "event.category:process and event.type:start and process.name:(zip or tar or gzip or hdiutil or 7z) and process.args: ( /root/.ssh/id_rsa or /root/.ssh/id_rsa.pub or /root/.ssh/id_ed25519 or /root/.ssh/id_ed25519.pub or /root/.ssh/authorized_keys or /root/.ssh/authorized_keys2 or /root/.ssh/known_hosts or /root/.bash_history or /etc/hosts or /home/*/.ssh/id_rsa or /home/*/.ssh/id_rsa.pub or /home/*/.ssh/id_ed25519 or /home/*/.ssh/id_ed25519.pub or /home/*/.ssh/authorized_keys or /home/*/.ssh/authorized_keys2 or /home/*/.ssh/known_hosts or /home/*/.bash_history or /root/.aws/credentials or /root/.aws/config or /home/*/.aws/credentials or /home/*/.aws/config or /root/.docker/config.json or /home/*/.docker/config.json or /etc/group or /etc/passwd or /etc/shadow or /etc/gshadow )", + "references": [ + "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html" + ], + "risk_score": 47, + "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Collection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.001", + "name": "Credentials In Files", + "reference": "https://attack.mitre.org/techniques/T1552/001/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/", - "subtechnique": [ - { - "id": "T1552.001", - "name": "Credentials In Files", - "reference": "https://attack.mitre.org/techniques/T1552/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1560", - "name": "Archive Collected Data", - "reference": "https://attack.mitre.org/techniques/T1560/", - "subtechnique": [ - { - "id": "T1560.001", - "name": "Archive via Utility", - "reference": "https://attack.mitre.org/techniques/T1560/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1560", + "name": "Archive Collected Data", + "reference": "https://attack.mitre.org/techniques/T1560/", + "subtechnique": [ + { + "id": "T1560.001", + "name": "Archive via Utility", + "reference": "https://attack.mitre.org/techniques/T1560/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-6cd1779c-560f-4b68-a8f1-11009b27fe63.json b/packages/security_detection_engine/kibana/security_rule/rule-6cd1779c-560f-4b68-a8f1-11009b27fe63.json index 09c95e2a0ab..76c1f6d3faf 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-6cd1779c-560f-4b68-a8f1-11009b27fe63.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-6cd1779c-560f-4b68-a8f1-11009b27fe63.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.", - "false_positives": [ - "Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Microsoft Exchange Server UM Writing Suspicious Files", - "query": "file where event.type == \"creation\" and\n process.parent.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : (\"C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\",\n \"C:\\\\*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\") or\n (file.path : \"C:\\\\*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and not file.name : \"TimeoutLogoff.aspx\")\n )\n", - "references": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" - ], - "risk_score": 47, - "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.", + "false_positives": [ + "Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Exchange Server UM Writing Suspicious Files", + "query": "file where event.type == \"creation\" and\n process.parent.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : (\"C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\",\n \"C:\\\\*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\") or\n (file.path : \"C:\\\\*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and not file.name : \"TimeoutLogoff.aspx\")\n )\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" + ], + "risk_score": 47, + "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-6d448b96-c922-4adb-b51c-b767f1ea5b76.json b/packages/security_detection_engine/kibana/security_rule/rule-6d448b96-c922-4adb-b51c-b767f1ea5b76.json index f1b3f68f71f..da1cb6ebffb 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-6d448b96-c922-4adb-b51c-b767f1ea5b76.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-6d448b96-c922-4adb-b51c-b767f1ea5b76.json @@ -1,31 +1,35 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "rare_process_by_host_windows_ecs", - "name": "Unusual Process For a Windows Host", - "note": "### Investigating an Unusual Windows Process ###\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_process_by_host_windows_ecs", + "name": "Unusual Process For a Windows Host", + "note": "### Investigating an Unusual Windows Process ###\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-6e40d56f-5c0e-4ac6-aece-bee96645b172.json b/packages/security_detection_engine/kibana/security_rule/rule-6e40d56f-5c0e-4ac6-aece-bee96645b172.json index cde5b1f0324..515fbd356e1 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-6e40d56f-5c0e-4ac6-aece-bee96645b172.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-6e40d56f-5c0e-4ac6-aece-bee96645b172.json @@ -1,31 +1,35 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "windows_anomalous_process_all_hosts_ecs", - "name": "Anomalous Process For a Windows Population", - "note": "### Investigating an Unusual Windows Process ###\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "windows_anomalous_process_all_hosts_ecs", + "name": "Anomalous Process For a Windows Population", + "note": "### Investigating an Unusual Windows Process ###\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-6e9b351e-a531-4bdc-b73e-7034d6eed7ff.json b/packages/security_detection_engine/kibana/security_rule/rule-6e9b351e-a531-4bdc-b73e-7034d6eed7ff.json index 5ef5b5c2788..37c1ea9e552 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-6e9b351e-a531-4bdc-b73e-7034d6eed7ff.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-6e9b351e-a531-4bdc-b73e-7034d6eed7ff.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of macOS built-in commands related to account or group enumeration.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Enumeration of Users or Groups via Built-in Commands", - "query": "process where event.type in (\"start\", \"process_started\") and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\", \n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\") and \n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and \n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and \n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n", - "risk_score": 21, - "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1069", - "name": "Permission Groups Discovery", - "reference": "https://attack.mitre.org/techniques/T1069/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands related to account or group enumeration.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration of Users or Groups via Built-in Commands", + "query": "process where event.type in (\"start\", \"process_started\") and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\", \n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\") and \n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and \n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and \n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n", + "risk_score": 21, + "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" }, - { - "id": "T1087", - "name": "Account Discovery", - "reference": "https://attack.mitre.org/techniques/T1087/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/" + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-6ea41894-66c3-4df7-ad6b-2c5074eb3df8.json b/packages/security_detection_engine/kibana/security_rule/rule-6ea41894-66c3-4df7-ad6b-2c5074eb3df8.json index 69fb69486ea..4c602339cb7 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-6ea41894-66c3-4df7-ad6b-2c5074eb3df8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-6ea41894-66c3-4df7-ad6b-2c5074eb3df8.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.", - "false_positives": [ - "Legit Application Crash with rare Werfault commandline value" - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Windows Error Manager Masquerading", - "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction == \"outgoing\" and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", - "references": [ - "https://twitter.com/SBousseaden/status/1235533224337641473", - "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", - "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/" - ], - "risk_score": 47, - "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.", + "false_positives": [ + "Legit Application Crash with rare Werfault commandline value" + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Windows Error Manager Masquerading", + "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction == \"outgoing\" and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", + "references": [ + "https://twitter.com/SBousseaden/status/1235533224337641473", + "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", + "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/" + ], + "risk_score": 47, + "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-6ea55c81-e2ba-42f2-a134-bccf857ba922.json b/packages/security_detection_engine/kibana/security_rule/rule-6ea55c81-e2ba-42f2-a134-bccf857ba922.json index e66b5bb9d86..218c4d22136 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-6ea55c81-e2ba-42f2-a134-bccf857ba922.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-6ea55c81-e2ba-42f2-a134-bccf857ba922.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Security Software Discovery using WMIC", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n", - "risk_score": 47, - "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1518", - "name": "Software Discovery", - "reference": "https://attack.mitre.org/techniques/T1518/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Security Software Discovery using WMIC", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n", + "risk_score": 47, + "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-6ea71ff0-9e95-475b-9506-2580d1ce6154.json b/packages/security_detection_engine/kibana/security_rule/rule-6ea71ff0-9e95-475b-9506-2580d1ce6154.json index c7166402c5d..f4455b9845c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-6ea71ff0-9e95-475b-9506-2580d1ce6154.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-6ea71ff0-9e95-475b-9506-2580d1ce6154.json @@ -1,44 +1,48 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications.", - "false_positives": [ - "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior." - ], - "index": [ - "filebeat-*", - "packetbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "DNS Activity to the Internet", - "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or 255.255.255.255 or \"::1\" or \"FE80::/10\" or \"FF00::/8\")", - "references": [ - "https://www.us-cert.gov/ncas/alerts/TA15-240A", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf" - ], - "risk_score": 47, - "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154", - "severity": "medium", - "tags": [ - "Elastic", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications.", + "false_positives": [ + "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior." + ], + "index": [ + "filebeat-*", + "packetbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "DNS Activity to the Internet", + "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or 255.255.255.255 or \"::1\" or \"FE80::/10\" or \"FF00::/8\")", + "references": [ + "https://www.us-cert.gov/ncas/alerts/TA15-240A", + "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf" + ], + "risk_score": 47, + "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154", + "severity": "medium", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "6ea71ff0-9e95-475b-9506-2580d1ce6154", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-6f1500bc-62d7-4eb9-8601-7485e87da2f4.json b/packages/security_detection_engine/kibana/security_rule/rule-6f1500bc-62d7-4eb9-8601-7485e87da2f4.json index 5cbcca5835a..1a6f501aeab 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-6f1500bc-62d7-4eb9-8601-7485e87da2f4.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-6f1500bc-62d7-4eb9-8601-7485e87da2f4.json @@ -1,43 +1,47 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SSH (Secure Shell) to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 21, - "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SSH (Secure Shell) to the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", + "risk_score": 21, + "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-6f435062-b7fc-4af9-acea-5b1ead65c5a5.json b/packages/security_detection_engine/kibana/security_rule/rule-6f435062-b7fc-4af9-acea-5b1ead65c5a5.json index e1c1af2e82f..da021a41047 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-6f435062-b7fc-4af9-acea-5b1ead65c5a5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-6f435062-b7fc-4af9-acea-5b1ead65c5a5.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", - "false_positives": [ - "Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Role Modified", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", - "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)", - "references": [ - "https://support.google.com/a/answer/2406043?hl=en" - ], - "risk_score": 47, - "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", + "false_positives": [ + "Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Role Modified", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)", + "references": [ + "https://support.google.com/a/answer/2406043?hl=en" + ], + "risk_score": 47, + "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-7024e2a0-315d-4334-bb1a-441c593e16ab.json b/packages/security_detection_engine/kibana/security_rule/rule-7024e2a0-315d-4334-bb1a-441c593e16ab.json index f531dadba55..1763d094069 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-7024e2a0-315d-4334-bb1a-441c593e16ab.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-7024e2a0-315d-4334-bb1a-441c593e16ab.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.", - "false_positives": [ - "Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudTrail Log Deleted", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success", - "references": [ - "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html" - ], - "risk_score": 47, - "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.", + "false_positives": [ + "Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudTrail Log Deleted", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success", + "references": [ + "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html" + ], + "risk_score": 47, + "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "7024e2a0-315d-4334-bb1a-441c593e16ab", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-7024e2a0-315d-4334-bb1a-552d604f27bc.json b/packages/security_detection_engine/kibana/security_rule/rule-7024e2a0-315d-4334-bb1a-552d604f27bc.json index 0aa19979fc7..3eea18c384b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-7024e2a0-315d-4334-bb1a-552d604f27bc.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-7024e2a0-315d-4334-bb1a-552d604f27bc.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to delete an AWS Config Service rule. An adversary may tamper with Config rules in order to reduce visibiltiy into the security posture of an account and / or its workload instances.", - "false_positives": [ - "Privileged IAM users with security responsibilities may be expected to make changes to the Config rules in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Config Service Tampering", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com", - "references": [ - "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html", - "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html" - ], - "risk_score": 47, - "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to delete an AWS Config Service rule. An adversary may tamper with Config rules in order to reduce visibiltiy into the security posture of an account and / or its workload instances.", + "false_positives": [ + "Privileged IAM users with security responsibilities may be expected to make changes to the Config rules in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Config Service Tampering", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com", + "references": [ + "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html", + "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html" + ], + "risk_score": 47, + "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "7024e2a0-315d-4334-bb1a-552d604f27bc", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-70fa1af4-27fd-4f26-bd03-50b6af6b9e24.json b/packages/security_detection_engine/kibana/security_rule/rule-70fa1af4-27fd-4f26-bd03-50b6af6b9e24.json index 1806f71e5d9..e4351045558 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-70fa1af4-27fd-4f26-bd03-50b6af6b9e24.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-70fa1af4-27fd-4f26-bd03-50b6af6b9e24.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", - "query": "event.category:process and event.type:(start or process_started) and process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")", - "risk_score": 73, - "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", + "query": "event.category:process and event.type:(start or process_started) and process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")", + "risk_score": 73, + "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-717f82c2-7741-4f9b-85b8-d06aeb853f4f.json b/packages/security_detection_engine/kibana/security_rule/rule-717f82c2-7741-4f9b-85b8-d06aeb853f4f.json index d7554156807..a9d767f1428 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-717f82c2-7741-4f9b-85b8-d06aeb853f4f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-717f82c2-7741-4f9b-85b8-d06aeb853f4f.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Modification of Dynamic Linker Preload Shared Object", - "query": "event.category:file and not event.type:deletion and file.path:/etc/ld.so.preload", - "references": [ - "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" - ], - "risk_score": 47, - "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.006", - "name": "LD_PRELOAD", - "reference": "https://attack.mitre.org/techniques/T1574/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Dynamic Linker Preload Shared Object", + "query": "event.category:file and not event.type:deletion and file.path:/etc/ld.so.preload", + "references": [ + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" + ], + "risk_score": 47, + "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "LD_PRELOAD", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-71bccb61-e19b-452f-b104-79a60e546a95.json b/packages/security_detection_engine/kibana/security_rule/rule-71bccb61-e19b-452f-b104-79a60e546a95.json index 59e9e9a7c2b..1889bee9a1e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-71bccb61-e19b-452f-b104-79a60e546a95.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-71bccb61-e19b-452f-b104-79a60e546a95.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual File Creation - Alternate Data Stream", - "query": "file where event.type == \"creation\" and\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", - "risk_score": 47, - "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1564", - "name": "Hide Artifacts", - "reference": "https://attack.mitre.org/techniques/T1564/", - "subtechnique": [ - { - "id": "T1564.004", - "name": "NTFS File Attributes", - "reference": "https://attack.mitre.org/techniques/T1564/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual File Creation - Alternate Data Stream", + "query": "file where event.type == \"creation\" and\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", + "risk_score": 47, + "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.004", + "name": "NTFS File Attributes", + "reference": "https://attack.mitre.org/techniques/T1564/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "71bccb61-e19b-452f-b104-79a60e546a95", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-71c5cb27-eca5-4151-bb47-64bc3f883270.json b/packages/security_detection_engine/kibana/security_rule/rule-71c5cb27-eca5-4151-bb47-64bc3f883270.json index d7f7a24cc48..3d69a557d0b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-71c5cb27-eca5-4151-bb47-64bc3f883270.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-71c5cb27-eca5-4151-bb47-64bc3f883270.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious RDP ActiveX Client Loaded", - "query": "library where dll.name : \"mstscax.dll\" and\n /* depending on noise in your env add here extra paths */\n process.executable :\n (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n", - "references": [ - "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" - ], - "risk_score": 47, - "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious RDP ActiveX Client Loaded", + "query": "library where dll.name : \"mstscax.dll\" and\n /* depending on noise in your env add here extra paths */\n process.executable :\n (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n", + "references": [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" + ], + "risk_score": 47, + "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "71c5cb27-eca5-4151-bb47-64bc3f883270", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-729aa18d-06a6-41c7-b175-b65b739b1181.json b/packages/security_detection_engine/kibana/security_rule/rule-729aa18d-06a6-41c7-b175-b65b739b1181.json index d1a2bb3a2b5..461d2b990c2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-729aa18d-06a6-41c7-b175-b65b739b1181.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-729aa18d-06a6-41c7-b175-b65b739b1181.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Reset MFA Factors for an Okta User Account", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 21, - "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181", - "severity": "low", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Reset MFA Factors for an Okta User Account", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 21, + "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "729aa18d-06a6-41c7-b175-b65b739b1181", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json b/packages/security_detection_engine/kibana/security_rule/rule-7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json index 657716d43ba..abd6c9ab2aa 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json @@ -1,78 +1,82 @@ { - "author": [ - "Elastic" - ], - "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Modification of Accessibility Binaries", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", - "references": [ - "https://www.elastic.co/blog/practical-security-engineering-stateful-detection" - ], - "risk_score": 73, - "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Modification of Accessibility Binaries", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", + "references": [ + "https://www.elastic.co/blog/practical-security-engineering-stateful-detection" + ], + "risk_score": 73, + "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.008", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1546/008/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.008", - "name": "Accessibility Features", - "reference": "https://attack.mitre.org/techniques/T1546/008/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.008", - "name": "Accessibility Features", - "reference": "https://attack.mitre.org/techniques/T1546/008/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 7 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.008", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1546/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1.json b/packages/security_detection_engine/kibana/security_rule/rule-7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1.json index 8c994b266ff..63f092df04d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Modification of Environment Variable via Launchctl", - "query": "event.category:process and event.type:start and process.name:launchctl and process.args:(setenv and not (JAVA*_HOME or RUNTIME_JAVA_HOME or DBUS_LAUNCHD_SESSION_BUS_SOCKET or ANT_HOME or LG_WEBOS_TV_SDK_HOME or WEBOS_CLI_TV or EDEN_ENV) ) and not process.parent.executable:(\"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or \"/usr/local/bin/kr\" or \"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or \"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\")", - "references": [ - "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb" - ], - "risk_score": 47, - "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.007", - "name": "Path Interception by PATH Environment Variable", - "reference": "https://attack.mitre.org/techniques/T1574/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Environment Variable via Launchctl", + "query": "event.category:process and event.type:start and process.name:launchctl and process.args:(setenv and not (JAVA*_HOME or RUNTIME_JAVA_HOME or DBUS_LAUNCHD_SESSION_BUS_SOCKET or ANT_HOME or LG_WEBOS_TV_SDK_HOME or WEBOS_CLI_TV or EDEN_ENV) ) and not process.parent.executable:(\"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or \"/usr/local/bin/kr\" or \"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or \"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\")", + "references": [ + "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb" + ], + "risk_score": 47, + "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.007", + "name": "Path Interception by PATH Environment Variable", + "reference": "https://attack.mitre.org/techniques/T1574/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-746edc4c-c54c-49c6-97a1-651223819448.json b/packages/security_detection_engine/kibana/security_rule/rule-746edc4c-c54c-49c6-97a1-651223819448.json index 0c31cab0dd3..3ae7bb40711 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-746edc4c-c54c-49c6-97a1-651223819448.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-746edc4c-c54c-49c6-97a1-651223819448.json @@ -1,29 +1,33 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "packetbeat_rare_dns_question", - "name": "Unusual DNS Activity", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "746edc4c-c54c-49c6-97a1-651223819448", - "severity": "low", - "tags": [ - "Elastic", - "Network", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_dns_question", + "name": "Unusual DNS Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "746edc4c-c54c-49c6-97a1-651223819448", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "746edc4c-c54c-49c6-97a1-651223819448", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-75ee75d8-c180-481c-ba88-ee50129a6aef.json b/packages/security_detection_engine/kibana/security_rule/rule-75ee75d8-c180-481c-ba88-ee50129a6aef.json index 15789dff599..0d7f88acfde 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-75ee75d8-c180-481c-ba88-ee50129a6aef.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-75ee75d8-c180-481c-ba88-ee50129a6aef.json @@ -1,29 +1,33 @@ { - "author": [ - "Elastic" - ], - "description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource", - "false_positives": [ - "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." - ], - "index": [ - "apm-*-transaction*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Web Application Suspicious Activity: Unauthorized Method", - "query": "http.response.status_code:405", - "references": [ - "https://en.wikipedia.org/wiki/HTTP_405" - ], - "risk_score": 47, - "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", - "severity": "medium", - "tags": [ - "Elastic", - "APM" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource", + "false_positives": [ + "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." + ], + "index": [ + "apm-*-transaction*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Web Application Suspicious Activity: Unauthorized Method", + "query": "http.response.status_code:405", + "references": [ + "https://en.wikipedia.org/wiki/HTTP_405" + ], + "risk_score": 47, + "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", + "severity": "medium", + "tags": [ + "Elastic", + "APM" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "75ee75d8-c180-481c-ba88-ee50129a6aef", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-76152ca1-71d0-4003-9e37-0983e12832da.json b/packages/security_detection_engine/kibana/security_rule/rule-76152ca1-71d0-4003-9e37-0983e12832da.json index e7450de6388..b42775d46ca 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-76152ca1-71d0-4003-9e37-0983e12832da.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-76152ca1-71d0-4003-9e37-0983e12832da.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Privilege Escalation via Sudoers File Modification", - "query": "event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)", - "risk_score": 73, - "rule_id": "76152ca1-71d0-4003-9e37-0983e12832da", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Linux", - "macOS", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.003", - "name": "Sudo and Sudo Caching", - "reference": "https://attack.mitre.org/techniques/T1548/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via Sudoers File Modification", + "query": "event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)", + "risk_score": 73, + "rule_id": "76152ca1-71d0-4003-9e37-0983e12832da", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "76152ca1-71d0-4003-9e37-0983e12832da", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json b/packages/security_detection_engine/kibana/security_rule/rule-76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json index 4e72ecf8055..10c537dcf69 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This could be indicative of adversary lateral movement to interactively access restricted networks.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Remote Desktop Tunneling Detected", - "query": "process where event.type in (\"start\", \"process_started\") and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", - "references": [ - "https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/" - ], - "risk_score": 73, - "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This could be indicative of adversary lateral movement to interactively access restricted networks.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Desktop Tunneling Detected", + "query": "process where event.type in (\"start\", \"process_started\") and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", + "references": [ + "https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/" + ], + "risk_score": 73, + "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-770e0c4d-b998-41e5-a62e-c7901fd7f470.json b/packages/security_detection_engine/kibana/security_rule/rule-770e0c4d-b998-41e5-a62e-c7901fd7f470.json index 287b290eca4..663b2349419 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-770e0c4d-b998-41e5-a62e-c7901fd7f470.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-770e0c4d-b998-41e5-a62e-c7901fd7f470.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Enumeration Command Spawned via WMIPrvSE", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\"\n", - "risk_score": 21, - "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1047", - "name": "Windows Management Instrumentation", - "reference": "https://attack.mitre.org/techniques/T1047/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration Command Spawned via WMIPrvSE", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\"\n", + "risk_score": 21, + "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-774f5e28-7b75-4a58-b94e-41bf060fdd86.json b/packages/security_detection_engine/kibana/security_rule/rule-774f5e28-7b75-4a58-b94e-41bf060fdd86.json index b63eb24444d..75958e0f18e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-774f5e28-7b75-4a58-b94e-41bf060fdd86.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-774f5e28-7b75-4a58-b94e-41bf060fdd86.json @@ -1,47 +1,51 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "User Added as Owner for Azure Application", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:(Success or success)", - "risk_score": 21, - "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "User Added as Owner for Azure Application", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:(Success or success)", + "risk_score": 21, + "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "774f5e28-7b75-4a58-b94e-41bf060fdd86", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-77a3c3df-8ec4-4da4-b758-878f551dee69.json b/packages/security_detection_engine/kibana/security_rule/rule-77a3c3df-8ec4-4da4-b758-878f551dee69.json index 9e20ac309ee..d6d4d523016 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-77a3c3df-8ec4-4da4-b758-878f551dee69.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-77a3c3df-8ec4-4da4-b758-878f551dee69.json @@ -1,24 +1,28 @@ { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Adversary Behavior - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)", - "risk_score": 47, - "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", - "severity": "medium", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Adversary Behavior - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)", + "risk_score": 47, + "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 5 + }, + "id": "77a3c3df-8ec4-4da4-b758-878f551dee69", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-785a404b-75aa-4ffd-8be5-3334a5a544dd.json b/packages/security_detection_engine/kibana/security_rule/rule-785a404b-75aa-4ffd-8be5-3334a5a544dd.json index 9100e56946d..768a698a2bd 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-785a404b-75aa-4ffd-8be5-3334a5a544dd.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-785a404b-75aa-4ffd-8be5-3334a5a544dd.json @@ -1,37 +1,41 @@ { - "author": [ - "Elastic" - ], - "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.", - "false_positives": [ - "Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Application Added to Google Workspace Domain", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", - "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION", - "references": [ - "https://support.google.com/a/answer/6328701?hl=en#" - ], - "risk_score": 47, - "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.", + "false_positives": [ + "Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Application Added to Google Workspace Domain", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION", + "references": [ + "https://support.google.com/a/answer/6328701?hl=en#" + ], + "risk_score": 47, + "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-7882cebf-6cf1-4de3-9662-213aa13e8b80.json b/packages/security_detection_engine/kibana/security_rule/rule-7882cebf-6cf1-4de3-9662-213aa13e8b80.json index c8cccf8eb6e..2f3f0db1e25 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-7882cebf-6cf1-4de3-9662-213aa13e8b80.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-7882cebf-6cf1-4de3-9662-213aa13e8b80.json @@ -1,66 +1,70 @@ { - "author": [ - "Elastic" - ], - "description": "Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Privilege Identity Management Role Modified", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:(Success or success)", - "references": [ - "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles", - "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure" - ], - "risk_score": 47, - "rule_id": "7882cebf-6cf1-4de3-9662-213aa13e8b80", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Privilege Identity Management Role Modified", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:(Success or success)", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles", + "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure" + ], + "risk_score": 47, + "rule_id": "7882cebf-6cf1-4de3-9662-213aa13e8b80", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "7882cebf-6cf1-4de3-9662-213aa13e8b80", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-78d3d8d9-b476-451d-a9e0-7a5addd70670.json b/packages/security_detection_engine/kibana/security_rule/rule-78d3d8d9-b476-451d-a9e0-7a5addd70670.json index 9d83900e8be..84584dc0e20 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-78d3d8d9-b476-451d-a9e0-7a5addd70670.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-78d3d8d9-b476-451d-a9e0-7a5addd70670.json @@ -1,30 +1,34 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.", - "false_positives": [ - "Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges." - ], - "from": "now-60m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "high_distinct_count_error_message", - "name": "Spike in AWS Error Messages", - "note": "### Investigating Spikes in CloudTrail Errors ###\nDetection alerts from this rule indicate a large spike in the number of CloudTrail log messages that contain a particular error message. The error message in question was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, manifested only very recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.\n- Consider the user as identified by the user.name field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "ML" - ], - "type": "machine_learning", - "version": 3 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.", + "false_positives": [ + "Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges." + ], + "from": "now-60m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_distinct_count_error_message", + "name": "Spike in AWS Error Messages", + "note": "### Investigating Spikes in CloudTrail Errors ###\nDetection alerts from this rule indicate a large spike in the number of CloudTrail log messages that contain a particular error message. The error message in question was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, manifested only very recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.\n- Consider the user as identified by the user.name field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "ML" + ], + "type": "machine_learning", + "version": 3 + }, + "id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json b/packages/security_detection_engine/kibana/security_rule/rule-792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json index 0dac46c0600..4c17883fb19 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json @@ -1,61 +1,65 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.", - "false_positives": [ - "Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Key Vault Modified", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)", - "references": [ - "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts", - "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault" - ], - "risk_score": 47, - "rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Data Protection" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/", - "subtechnique": [ - { - "id": "T1552.001", - "name": "Credentials In Files", - "reference": "https://attack.mitre.org/techniques/T1552/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.", + "false_positives": [ + "Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Key Vault Modified", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)", + "references": [ + "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts", + "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault" + ], + "risk_score": 47, + "rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Data Protection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.001", + "name": "Credentials In Files", + "reference": "https://attack.mitre.org/techniques/T1552/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-7a137d76-ce3d-48e2-947d-2747796a78c0.json b/packages/security_detection_engine/kibana/security_rule/rule-7a137d76-ce3d-48e2-947d-2747796a78c0.json index 7231e4db387..8f570e20fb0 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-7a137d76-ce3d-48e2-947d-2747796a78c0.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-7a137d76-ce3d-48e2-947d-2747796a78c0.json @@ -1,63 +1,67 @@ { - "author": [ - "Elastic" - ], - "description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion.", - "false_positives": [ - "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Network Sniffing via Tcpdump", - "query": "event.category:process and event.type:(start or process_started) and process.name:tcpdump", - "risk_score": 21, - "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion.", + "false_positives": [ + "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Network Sniffing via Tcpdump", + "query": "event.category:process and event.type:(start or process_started) and process.name:tcpdump", + "risk_score": 21, + "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1040", + "name": "Network Sniffing", + "reference": "https://attack.mitre.org/techniques/T1040/" + } + ] }, - "technique": [ - { - "id": "T1040", - "name": "Network Sniffing", - "reference": "https://attack.mitre.org/techniques/T1040/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1040", - "name": "Network Sniffing", - "reference": "https://attack.mitre.org/techniques/T1040/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1040", + "name": "Network Sniffing", + "reference": "https://attack.mitre.org/techniques/T1040/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "7a137d76-ce3d-48e2-947d-2747796a78c0", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-7b08314d-47a0-4b71-ae4e-16544176924f.json b/packages/security_detection_engine/kibana/security_rule/rule-7b08314d-47a0-4b71-ae4e-16544176924f.json index 32c2894a3f0..cffa13a7422 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-7b08314d-47a0-4b71-ae4e-16544176924f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-7b08314d-47a0-4b71-ae4e-16544176924f.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan follow-on activity.", - "false_positives": [ - "Enumeration of files and directories may not be inherently malicious and noise may come from scripts, automation tools, or normal command line usage. It's important to baseline your environment to determine the amount of expected noise and exclude any known FP's from the rule." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "File and Directory Discovery", - "query": "sequence by agent.id, user.name with maxspan=1m\n[process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n process.name : \"tree.com\"]\n[process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n process.name : \"tree.com\"]\n[process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n process.name : \"tree.com\"]\n", - "risk_score": 21, - "rule_id": "7b08314d-47a0-4b71-ae4e-16544176924f", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1083", - "name": "File and Directory Discovery", - "reference": "https://attack.mitre.org/techniques/T1083/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan follow-on activity.", + "false_positives": [ + "Enumeration of files and directories may not be inherently malicious and noise may come from scripts, automation tools, or normal command line usage. It's important to baseline your environment to determine the amount of expected noise and exclude any known FP's from the rule." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "File and Directory Discovery", + "query": "sequence by agent.id, user.name with maxspan=1m\n[process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n process.name : \"tree.com\"]\n[process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n process.name : \"tree.com\"]\n[process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n process.name : \"tree.com\"]\n", + "risk_score": 21, + "rule_id": "7b08314d-47a0-4b71-ae4e-16544176924f", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1083", + "name": "File and Directory Discovery", + "reference": "https://attack.mitre.org/techniques/T1083/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "7b08314d-47a0-4b71-ae4e-16544176924f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-7b8bfc26-81d2-435e-965c-d722ee397ef1.json b/packages/security_detection_engine/kibana/security_rule/rule-7b8bfc26-81d2-435e-965c-d722ee397ef1.json index 2c116495c13..c520a6db08e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-7b8bfc26-81d2-435e-965c-d722ee397ef1.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-7b8bfc26-81d2-435e-965c-d722ee397ef1.json @@ -1,51 +1,55 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Windows Network Enumeration", - "query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestory is available\n and not descendant of [process where event.type == (\"start\", \"process_started\") and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", - "risk_score": 47, - "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1018", - "name": "Remote System Discovery", - "reference": "https://attack.mitre.org/techniques/T1018/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Network Enumeration", + "query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestory is available\n and not descendant of [process where event.type == (\"start\", \"process_started\") and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", + "risk_score": 47, + "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" }, - { - "id": "T1135", - "name": "Network Share Discovery", - "reference": "https://attack.mitre.org/techniques/T1135/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "technique": [ + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + }, + { + "id": "T1135", + "name": "Network Share Discovery", + "reference": "https://attack.mitre.org/techniques/T1135/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-7bcbb3ac-e533-41ad-a612-d6c3bf666aba.json b/packages/security_detection_engine/kibana/security_rule/rule-7bcbb3ac-e533-41ad-a612-d6c3bf666aba.json index 26a11122b65..403895a6274 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-7bcbb3ac-e533-41ad-a612-d6c3bf666aba.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-7bcbb3ac-e533-41ad-a612-d6c3bf666aba.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Tampering of Bash Command-Line History", - "query": "process where event.type in (\"start\", \"process_started\") and\n (\n (process.args : (\"rm\", \"echo\") and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\")) or\n (process.name : \"history\" and process.args : \"-c\") or\n (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n (process.args : \"unset\" and process.args : \"HISTFILE\") or\n (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n", - "risk_score": 47, - "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.003", - "name": "Clear Command History", - "reference": "https://attack.mitre.org/techniques/T1070/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Tampering of Bash Command-Line History", + "query": "process where event.type in (\"start\", \"process_started\") and\n (\n (process.args : (\"rm\", \"echo\") and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\")) or\n (process.name : \"history\" and process.args : \"-c\") or\n (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n (process.args : \"unset\" and process.args : \"HISTFILE\") or\n (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n", + "risk_score": 47, + "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.003", + "name": "Clear Command History", + "reference": "https://attack.mitre.org/techniques/T1070/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-7ceb2216-47dd-4e64-9433-cddc99727623.json b/packages/security_detection_engine/kibana/security_rule/rule-7ceb2216-47dd-4e64-9433-cddc99727623.json index 2a293bf98db..1f4b32019df 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-7ceb2216-47dd-4e64-9433-cddc99727623.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-7ceb2216-47dd-4e64-9433-cddc99727623.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.", - "false_positives": [ - "Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Service Account Creation", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success", - "references": [ - "https://cloud.google.com/iam/docs/service-accounts" - ], - "risk_score": 21, - "rule_id": "7ceb2216-47dd-4e64-9433-cddc99727623", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.", + "false_positives": [ + "Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Service Account Creation", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success", + "references": [ + "https://cloud.google.com/iam/docs/service-accounts" + ], + "risk_score": 21, + "rule_id": "7ceb2216-47dd-4e64-9433-cddc99727623", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "7ceb2216-47dd-4e64-9433-cddc99727623", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-7d2c38d7-ede7-4bdf-b140-445906e6c540.json b/packages/security_detection_engine/kibana/security_rule/rule-7d2c38d7-ede7-4bdf-b140-445906e6c540.json index 396c9bb4f9f..b74945e6e7b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-7d2c38d7-ede7-4bdf-b140-445906e6c540.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-7d2c38d7-ede7-4bdf-b140-445906e6c540.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection.", - "false_positives": [ - "Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Tor Activity to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\")", - "risk_score": 47, - "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1090", - "name": "Proxy", - "reference": "https://attack.mitre.org/techniques/T1090/", - "subtechnique": [ - { - "id": "T1090.003", - "name": "Multi-hop Proxy", - "reference": "https://attack.mitre.org/techniques/T1090/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection.", + "false_positives": [ + "Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Tor Activity to the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\")", + "risk_score": 47, + "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1090", + "name": "Proxy", + "reference": "https://attack.mitre.org/techniques/T1090/", + "subtechnique": [ + { + "id": "T1090.003", + "name": "Multi-hop Proxy", + "reference": "https://attack.mitre.org/techniques/T1090/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "7d2c38d7-ede7-4bdf-b140-445906e6c540", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-7f370d54-c0eb-4270-ac5a-9a6020585dc6.json b/packages/security_detection_engine/kibana/security_rule/rule-7f370d54-c0eb-4270-ac5a-9a6020585dc6.json index b9b24aacb62..77447bd2862 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-7f370d54-c0eb-4270-ac5a-9a6020585dc6.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-7f370d54-c0eb-4270-ac5a-9a6020585dc6.json @@ -1,45 +1,49 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of a whitelist bypass.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious WMIC XSL Script Execution", - "query": "sequence by process.entity_id with maxspan = 2m\n[process where event.type in (\"start\", \"process_started\") and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : \"* /format:table *\"]\n[library where event.type == \"start\" and dll.name : (\"jscript.dll\", \"vbscript.dll\")]\n", - "risk_score": 21, - "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1220", - "name": "XSL Script Processing", - "reference": "https://attack.mitre.org/techniques/T1220/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of a whitelist bypass.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious WMIC XSL Script Execution", + "query": "sequence by process.entity_id with maxspan = 2m\n[process where event.type in (\"start\", \"process_started\") and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : \"* /format:table *\"]\n[library where event.type == \"start\" and dll.name : (\"jscript.dll\", \"vbscript.dll\")]\n", + "risk_score": 21, + "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1220", + "name": "XSL Script Processing", + "reference": "https://attack.mitre.org/techniques/T1220/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-809b70d3-e2c3-455e-af1b-2626a5a1a276.json b/packages/security_detection_engine/kibana/security_rule/rule-809b70d3-e2c3-455e-af1b-2626a5a1a276.json index 3f0f268aa92..6a86f5e49a3 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-809b70d3-e2c3-455e-af1b-2626a5a1a276.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-809b70d3-e2c3-455e-af1b-2626a5a1a276.json @@ -1,30 +1,34 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography then the authorized user(s).", - "false_positives": [ - "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." - ], - "from": "now-60m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "rare_method_for_a_city", - "name": "Unusual City For an AWS Command", - "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "ML" - ], - "type": "machine_learning", - "version": 3 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography then the authorized user(s).", + "false_positives": [ + "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." + ], + "from": "now-60m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_method_for_a_city", + "name": "Unusual City For an AWS Command", + "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "ML" + ], + "type": "machine_learning", + "version": 3 + }, + "id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-80c52164-c82a-402c-9964-852533d58be1.json b/packages/security_detection_engine/kibana/security_rule/rule-80c52164-c82a-402c-9964-852533d58be1.json index 464ed04f7c3..1cc50b868e2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-80c52164-c82a-402c-9964-852533d58be1.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-80c52164-c82a-402c-9964-852533d58be1.json @@ -1,24 +1,28 @@ { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Process Injection - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)", - "risk_score": 73, - "rule_id": "80c52164-c82a-402c-9964-852533d58be1", - "severity": "high", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Process Injection - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)", + "risk_score": 73, + "rule_id": "80c52164-c82a-402c-9964-852533d58be1", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 5 + }, + "id": "80c52164-c82a-402c-9964-852533d58be1", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-81cc58f5-8062-49a2-ba84-5cc4b4d31c40.json b/packages/security_detection_engine/kibana/security_rule/rule-81cc58f5-8062-49a2-ba84-5cc4b4d31c40.json index ebe00dd9350..4233252159a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-81cc58f5-8062-49a2-ba84-5cc4b4d31c40.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-81cc58f5-8062-49a2-ba84-5cc4b4d31c40.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies loadable kernel module errors, which are often indicative of potential persistence attempts.", - "false_positives": [ - "Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Persistence via Kernel Module Modification", - "query": "event.category:process and event.type:(start or process_started) and process.name:(insmod or kmod or modprobe or rmod)", - "references": [ - "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM" - ], - "risk_score": 21, - "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.006", - "name": "Kernel Modules and Extensions", - "reference": "https://attack.mitre.org/techniques/T1547/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies loadable kernel module errors, which are often indicative of potential persistence attempts.", + "false_positives": [ + "Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Persistence via Kernel Module Modification", + "query": "event.category:process and event.type:(start or process_started) and process.name:(insmod or kmod or modprobe or rmod)", + "references": [ + "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM" + ], + "risk_score": 21, + "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-827f8d8f-4117-4ae4-b551-f56d54b9da6b.json b/packages/security_detection_engine/kibana/security_rule/rule-827f8d8f-4117-4ae4-b551-f56d54b9da6b.json index f15ca479315..02541d10e66 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-827f8d8f-4117-4ae4-b551-f56d54b9da6b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-827f8d8f-4117-4ae4-b551-f56d54b9da6b.json @@ -1,64 +1,68 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Apple Scripting Execution with Administrator Privileges", - "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*with administrator privileges\"\n", - "references": [ - "https://discussions.apple.com/thread/2266150" - ], - "risk_score": 47, - "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Execution", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Apple Scripting Execution with Administrator Privileges", + "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*with administrator privileges\"\n", + "references": [ + "https://discussions.apple.com/thread/2266150" + ], + "risk_score": 47, + "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-852c1f19-68e8-43a6-9dce-340771fe1be3.json b/packages/security_detection_engine/kibana/security_rule/rule-852c1f19-68e8-43a6-9dce-340771fe1be3.json index 87ba02dae1c..e75b9f8d63d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-852c1f19-68e8-43a6-9dce-340771fe1be3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-852c1f19-68e8-43a6-9dce-340771fe1be3.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious PowerShell Engine ImageLoad", - "query": "library where dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\", \"C:\\\\Program Files*\\\\*.exe\") and\n not process.name :\n (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", - "risk_score": 47, - "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious PowerShell Engine ImageLoad", + "query": "library where dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\", \"C:\\\\Program Files*\\\\*.exe\") and\n not process.name :\n (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", + "risk_score": 47, + "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "852c1f19-68e8-43a6-9dce-340771fe1be3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-8623535c-1e17-44e1-aa97-7a0699c3037d.json b/packages/security_detection_engine/kibana/security_rule/rule-8623535c-1e17-44e1-aa97-7a0699c3037d.json index 8bba10a49b4..d68e7b60915 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-8623535c-1e17-44e1-aa97-7a0699c3037d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-8623535c-1e17-44e1-aa97-7a0699c3037d.json @@ -1,64 +1,68 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.", - "false_positives": [ - "Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS EC2 Network Access Control List Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html" - ], - "risk_score": 47, - "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Network Security" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.", + "false_positives": [ + "Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 Network Access Control List Deletion", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html" + ], + "risk_score": 47, + "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "8623535c-1e17-44e1-aa97-7a0699c3037d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-867616ec-41e5-4edc-ada2-ab13ab45de8a.json b/packages/security_detection_engine/kibana/security_rule/rule-867616ec-41e5-4edc-ada2-ab13ab45de8a.json index 6f754d9c94e..bdccf23289c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-867616ec-41e5-4edc-ada2-ab13ab45de8a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-867616ec-41e5-4edc-ada2-ab13ab45de8a.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.", - "false_positives": [ - "A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Group Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeleteGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html" - ], - "risk_score": 21, - "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.", + "false_positives": [ + "A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Group Deletion", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:DeleteGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html" + ], + "risk_score": 21, + "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "867616ec-41e5-4edc-ada2-ab13ab45de8a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-870aecc0-cea4-4110-af3f-e02e9b373655.json b/packages/security_detection_engine/kibana/security_rule/rule-870aecc0-cea4-4110-af3f-e02e9b373655.json index 7a910763c88..beefeac9626 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-870aecc0-cea4-4110-af3f-e02e9b373655.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-870aecc0-cea4-4110-af3f-e02e9b373655.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.", - "false_positives": [ - "Endpoint Security installers, updaters and post installation verification scripts." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "auditbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Security Software Discovery via Grep", - "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : \"/Library/Application Support/*\" and\n process.args :\n (\"Little Snitch*\",\n \"Avast*\",\n \"Avira*\",\n \"ESET*\",\n \"BlockBlock*\",\n \"360Sec*\",\n \"LuLu*\",\n \"KnockKnock*\",\n \"kav\",\n \"KIS\",\n \"RTProtectionDaemon*\",\n \"Malware*\",\n \"VShieldScanner*\",\n \"WebProtection*\",\n \"webinspectord*\",\n \"McAfee*\",\n \"isecespd*\",\n \"macmnsvc*\",\n \"masvc*\",\n \"kesl*\",\n \"avscan*\",\n \"guard*\",\n \"rtvscand*\",\n \"symcfgd*\",\n \"scmdaemon*\",\n \"symantec*\",\n \"sophos*\",\n \"osquery*\",\n \"elastic-endpoint*\"\n ) and\n not (process.args : \"Avast\" and process.args : \"Passwords\")\n", - "risk_score": 47, - "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Linux", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1518", - "name": "Software Discovery", - "reference": "https://attack.mitre.org/techniques/T1518/", - "subtechnique": [ - { - "id": "T1518.001", - "name": "Security Software Discovery", - "reference": "https://attack.mitre.org/techniques/T1518/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.", + "false_positives": [ + "Endpoint Security installers, updaters and post installation verification scripts." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Security Software Discovery via Grep", + "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : \"/Library/Application Support/*\" and\n process.args :\n (\"Little Snitch*\",\n \"Avast*\",\n \"Avira*\",\n \"ESET*\",\n \"BlockBlock*\",\n \"360Sec*\",\n \"LuLu*\",\n \"KnockKnock*\",\n \"kav\",\n \"KIS\",\n \"RTProtectionDaemon*\",\n \"Malware*\",\n \"VShieldScanner*\",\n \"WebProtection*\",\n \"webinspectord*\",\n \"McAfee*\",\n \"isecespd*\",\n \"macmnsvc*\",\n \"masvc*\",\n \"kesl*\",\n \"avscan*\",\n \"guard*\",\n \"rtvscand*\",\n \"symcfgd*\",\n \"scmdaemon*\",\n \"symantec*\",\n \"sophos*\",\n \"osquery*\",\n \"elastic-endpoint*\"\n ) and\n not (process.args : \"Avast\" and process.args : \"Passwords\")\n", + "risk_score": 47, + "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Linux", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/", + "subtechnique": [ + { + "id": "T1518.001", + "name": "Security Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "870aecc0-cea4-4110-af3f-e02e9b373655", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-871ea072-1b71-4def-b016-6278b505138d.json b/packages/security_detection_engine/kibana/security_rule/rule-871ea072-1b71-4def-b016-6278b505138d.json index 541cb7cda01..bca2e05001a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-871ea072-1b71-4def-b016-6278b505138d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-871ea072-1b71-4def-b016-6278b505138d.json @@ -1,51 +1,55 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Enumeration of Administrator Accounts", - "query": "process where event.type in (\"start\", \"process_started\") and\n (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"admin\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n not process.args : \"/add\")\n\n or\n\n ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\"))\n", - "risk_score": 21, - "rule_id": "871ea072-1b71-4def-b016-6278b505138d", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1069", - "name": "Permission Groups Discovery", - "reference": "https://attack.mitre.org/techniques/T1069/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration of Administrator Accounts", + "query": "process where event.type in (\"start\", \"process_started\") and\n (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"admin\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n not process.args : \"/add\")\n\n or\n\n ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\"))\n", + "risk_score": 21, + "rule_id": "871ea072-1b71-4def-b016-6278b505138d", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" }, - { - "id": "T1087", - "name": "Account Discovery", - "reference": "https://attack.mitre.org/techniques/T1087/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/" + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "871ea072-1b71-4def-b016-6278b505138d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-87ec6396-9ac4-4706-bcf0-2ebb22002f43.json b/packages/security_detection_engine/kibana/security_rule/rule-87ec6396-9ac4-4706-bcf0-2ebb22002f43.json index 1127a9acf41..afe02b13508 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-87ec6396-9ac4-4706-bcf0-2ebb22002f43.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-87ec6396-9ac4-4706-bcf0-2ebb22002f43.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects events that may indicate the use of FTP network connections to the Internet. The File Transfer Protocol (FTP) has been around in its current form since the 1980s. It can be a common and efficient procedure on your network to send and receive files. Because of this, adversaries will also often use this protocol to exfiltrate data from your network or download new tools. Additionally, FTP is a plain-text protocol which, if intercepted, may expose usernames and passwords. FTP activity involving servers subject to regulations or compliance standards may be unauthorized.", - "false_positives": [ - "FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "FTP (File Transfer Protocol) Activity to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(20 or 21) or event.dataset:zeek.ftp) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 21, - "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects events that may indicate the use of FTP network connections to the Internet. The File Transfer Protocol (FTP) has been around in its current form since the 1980s. It can be a common and efficient procedure on your network to send and receive files. Because of this, adversaries will also often use this protocol to exfiltrate data from your network or download new tools. Additionally, FTP is a plain-text protocol which, if intercepted, may expose usernames and passwords. FTP activity involving servers subject to regulations or compliance standards may be unauthorized.", + "false_positives": [ + "FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "FTP (File Transfer Protocol) Activity to the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(20 or 21) or event.dataset:zeek.ftp) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", + "risk_score": 21, + "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-88817a33-60d3-411f-ba79-7c905d865b2a.json b/packages/security_detection_engine/kibana/security_rule/rule-88817a33-60d3-411f-ba79-7c905d865b2a.json index 3382db95ea0..faee1a04092 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-88817a33-60d3-411f-ba79-7c905d865b2a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-88817a33-60d3-411f-ba79-7c905d865b2a.json @@ -1,48 +1,52 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Sublime Plugin or Application Script Modification", - "query": "file where event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path : \n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\", \n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable : \n (\n \"/Applications/Sublime Text*.app/Contents/MacOS/Sublime Text*\", \n \"/usr/local/Cellar/git/*/bin/git\", \n \"/usr/libexec/xpcproxy\", \n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\", \n \"/Applications/Sublime Text.app/Contents/MacOS/plugin_host\"\n )\n", - "references": [ - "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" - ], - "risk_score": 21, - "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1554", - "name": "Compromise Client Software Binary", - "reference": "https://attack.mitre.org/techniques/T1554/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Sublime Plugin or Application Script Modification", + "query": "file where event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path : \n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\", \n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable : \n (\n \"/Applications/Sublime Text*.app/Contents/MacOS/Sublime Text*\", \n \"/usr/local/Cellar/git/*/bin/git\", \n \"/usr/libexec/xpcproxy\", \n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\", \n \"/Applications/Sublime Text.app/Contents/MacOS/plugin_host\"\n )\n", + "references": [ + "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" + ], + "risk_score": 21, + "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "88817a33-60d3-411f-ba79-7c905d865b2a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-891cb88e-441a-4c3e-be2d-120d99fe7b0d.json b/packages/security_detection_engine/kibana/security_rule/rule-891cb88e-441a-4c3e-be2d-120d99fe7b0d.json index d44853b6fc2..b58de03f807 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-891cb88e-441a-4c3e-be2d-120d99fe7b0d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-891cb88e-441a-4c3e-be2d-120d99fe7b0d.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from MS Office products.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious WMI Image Load from MS Office", - "query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n event.action : \"load\" and\n event.category : \"library\" and\n dll.name : \"wmiutils.dll\"\n", - "references": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16" - ], - "risk_score": 21, - "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1047", - "name": "Windows Management Instrumentation", - "reference": "https://attack.mitre.org/techniques/T1047/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from MS Office products.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious WMI Image Load from MS Office", + "query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n event.action : \"load\" and\n event.category : \"library\" and\n dll.name : \"wmiutils.dll\"\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16" + ], + "risk_score": 21, + "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-897dc6b5-b39f-432a-8d75-d3730d50c782.json b/packages/security_detection_engine/kibana/security_rule/rule-897dc6b5-b39f-432a-8d75-d3730d50c782.json index 1393b571bbb..7c2efd21eb8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-897dc6b5-b39f-432a-8d75-d3730d50c782.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-897dc6b5-b39f-432a-8d75-d3730d50c782.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.", - "false_positives": [ - "HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Kerberos Traffic from Unusual Process", - "query": "network where event.type == \"start\" and network.direction == \"outgoing\" and\n destination.port == 88 and source.port \u003e= 49152 and\n process.executable != \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert False Positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n", - "risk_score": 47, - "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1558", - "name": "Steal or Forge Kerberos Tickets", - "reference": "https://attack.mitre.org/techniques/T1558/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.", + "false_positives": [ + "HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kerberos Traffic from Unusual Process", + "query": "network where event.type == \"start\" and network.direction == \"outgoing\" and\n destination.port == 88 and source.port \u003e= 49152 and\n process.executable != \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert False Positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n", + "risk_score": 47, + "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "897dc6b5-b39f-432a-8d75-d3730d50c782", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-89f9a4b0-9f8f-4ee0-8823-c4751a6d6696.json b/packages/security_detection_engine/kibana/security_rule/rule-89f9a4b0-9f8f-4ee0-8823-c4751a6d6696.json index a9cba200b22..8220c3f924d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-89f9a4b0-9f8f-4ee0-8823-c4751a6d6696.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-89f9a4b0-9f8f-4ee0-8823-c4751a6d6696.json @@ -1,63 +1,67 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", - "false_positives": [ - "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Command Prompt Network Connection", - "query": "sequence by process.entity_id\n [process where process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", - "risk_score": 21, - "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", + "false_positives": [ + "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Command Prompt Network Connection", + "query": "sequence by process.entity_id\n [process where process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", + "risk_score": 21, + "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "type": "eql", - "version": 6 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-89fa6cb7-6b53-4de2-b604-648488841ab8.json b/packages/security_detection_engine/kibana/security_rule/rule-89fa6cb7-6b53-4de2-b604-648488841ab8.json index ee13cfd498a..cd6d41e1c50 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-89fa6cb7-6b53-4de2-b604-648488841ab8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-89fa6cb7-6b53-4de2-b604-648488841ab8.json @@ -1,48 +1,52 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemonlaunches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Persistence via DirectoryService Plugin Modification", - "query": "event.category:file and not event.type:deletion and file.path:/Library/DirectoryServices/PlugIns/*.dsplug", - "references": [ - "https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/" - ], - "risk_score": 47, - "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemonlaunches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Persistence via DirectoryService Plugin Modification", + "query": "event.category:file and not event.type:deletion and file.path:/Library/DirectoryServices/PlugIns/*.dsplug", + "references": [ + "https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/" + ], + "risk_score": 47, + "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "89fa6cb7-6b53-4de2-b604-648488841ab8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-8a1b0278-0f9a-487d-96bd-d4833298e87a.json b/packages/security_detection_engine/kibana/security_rule/rule-8a1b0278-0f9a-487d-96bd-d4833298e87a.json index d8dd4f6ea81..9522694d0b4 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-8a1b0278-0f9a-487d-96bd-d4833298e87a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-8a1b0278-0f9a-487d-96bd-d4833298e87a.json @@ -1,63 +1,67 @@ { - "author": [ - "Elastic" - ], - "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "lucene", - "license": "Elastic License v2", - "max_signals": 33, - "name": "Setuid / Setgid Bit Set via chmod", - "query": "event.category:process AND event.type:(start OR process_started) AND process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/)", - "risk_score": 21, - "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "macOS", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "lucene", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Setuid / Setgid Bit Set via chmod", + "query": "event.category:process AND event.type:(start OR process_started) AND process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/)", + "risk_score": 21, + "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.001", + "name": "Setuid and Setgid", + "reference": "https://attack.mitre.org/techniques/T1548/001/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.001", - "name": "Setuid and Setgid", - "reference": "https://attack.mitre.org/techniques/T1548/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json b/packages/security_detection_engine/kibana/security_rule/rule-8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json index fd60fc5e269..56f82310e1e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json @@ -1,37 +1,41 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Deactivate an Okta Network Zone", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:zone.deactivate", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 47, - "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", - "severity": "medium", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Network Security" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate an Okta Network Zone", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:zone.deactivate", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 47, + "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-8acb7614-1d92-4359-bfcf-478b6d9de150.json b/packages/security_detection_engine/kibana/security_rule/rule-8acb7614-1d92-4359-bfcf-478b6d9de150.json index 48f2943cd6c..482e1a32149 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-8acb7614-1d92-4359-bfcf-478b6d9de150.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-8acb7614-1d92-4359-bfcf-478b6d9de150.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious child processes of a Java Archive (JAR) file. JAR files may be used to deliver malware in order to evade detection.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious JAR Child Process", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"java\" and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\") and\n process.args : \"-jar\" and process.args : \"*.jar\" and\n /* Add any FP's here */\n not process.executable : (\"/Users/*/.sdkman/*\", \"/Library/Java/JavaVirtualMachines/*\") and\n not process.args : (\"/usr/local/*\", \"/Users/*/github.com/*\", \"/Users/*/src/*\")\n", - "risk_score": 47, - "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "macOS", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.007", - "name": "JavaScript/JScript", - "reference": "https://attack.mitre.org/techniques/T1059/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of a Java Archive (JAR) file. JAR files may be used to deliver malware in order to evade detection.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious JAR Child Process", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"java\" and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\") and\n process.args : \"-jar\" and process.args : \"*.jar\" and\n /* Add any FP's here */\n not process.executable : (\"/Users/*/.sdkman/*\", \"/Library/Java/JavaVirtualMachines/*\") and\n not process.args : (\"/usr/local/*\", \"/Users/*/github.com/*\", \"/Users/*/src/*\")\n", + "risk_score": 47, + "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.007", + "name": "JavaScript/JScript", + "reference": "https://attack.mitre.org/techniques/T1059/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "8acb7614-1d92-4359-bfcf-478b6d9de150", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json b/packages/security_detection_engine/kibana/security_rule/rule-8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json index 4d217c0978b..d46c3bf9571 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Executable File Creation with Multiple Extensions", - "query": "file where event.type == \"creation\" and file.extension:\"exe\" and\n file.name:\n (\n \"*.vbs.exe\",\n \"*.vbe.exe\",\n \"*.bat.exe\",\n \"*.js.exe\",\n \"*.cmd.exe\",\n \"*.wsh.exe\",\n \"*.ps1.exe\",\n \"*.pdf.exe\",\n \"*.docx.exe\",\n \"*.doc.exe\",\n \"*.xlsx.exe\",\n \"*.xls.exe\",\n \"*.pptx.exe\",\n \"*.ppt.exe\",\n \"*.txt.exe\",\n \"*.rtf.exe\",\n \"*.gif.exe\",\n \"*.jpg.exe\",\n \"*.png.exe\",\n \"*.bmp.exe\",\n \"*.hta.exe\",\n \"*.txt.exe\",\n \"*.img.exe\",\n \"*.iso.exe\"\n )\n", - "risk_score": 47, - "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/", - "subtechnique": [ - { - "id": "T1036.004", - "name": "Masquerade Task or Service", - "reference": "https://attack.mitre.org/techniques/T1036/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Executable File Creation with Multiple Extensions", + "query": "file where event.type == \"creation\" and file.extension:\"exe\" and\n file.name:\n (\n \"*.vbs.exe\",\n \"*.vbe.exe\",\n \"*.bat.exe\",\n \"*.js.exe\",\n \"*.cmd.exe\",\n \"*.wsh.exe\",\n \"*.ps1.exe\",\n \"*.pdf.exe\",\n \"*.docx.exe\",\n \"*.doc.exe\",\n \"*.xlsx.exe\",\n \"*.xls.exe\",\n \"*.pptx.exe\",\n \"*.ppt.exe\",\n \"*.txt.exe\",\n \"*.rtf.exe\",\n \"*.gif.exe\",\n \"*.jpg.exe\",\n \"*.png.exe\",\n \"*.bmp.exe\",\n \"*.hta.exe\",\n \"*.txt.exe\",\n \"*.img.exe\",\n \"*.iso.exe\"\n )\n", + "risk_score": 47, + "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.004", + "name": "Masquerade Task or Service", + "reference": "https://attack.mitre.org/techniques/T1036/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-8c1bdde8-4204-45c0-9e0c-c85ca3902488.json b/packages/security_detection_engine/kibana/security_rule/rule-8c1bdde8-4204-45c0-9e0c-c85ca3902488.json index 73b020b602c..2572b0e4211 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-8c1bdde8-4204-45c0-9e0c-c85ca3902488.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-8c1bdde8-4204-45c0-9e0c-c85ca3902488.json @@ -1,73 +1,77 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "RDP (Remote Desktop Protocol) from the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )", - "risk_score": 47, - "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "RDP (Remote Desktop Protocol) from the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )", + "risk_score": 47, + "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json b/packages/security_detection_engine/kibana/security_rule/rule-8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json index b4a928e7850..3b9c2faf05d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", - "false_positives": [ - "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Unusual Child Process of dns.exe", - "note": "### Investigating Unusual Child Process\nDetection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).\n- Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.\n- If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.\n- Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint.", - "query": "event.category:process and event.type:start and process.parent.name:dns.exe and not process.name:conhost.exe", - "references": [ - "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", - "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", - "https://github.com/maxpl0it/CVE-2020-1350-DoS" - ], - "risk_score": 73, - "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1133", - "name": "External Remote Services", - "reference": "https://attack.mitre.org/techniques/T1133/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", + "false_positives": [ + "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unusual Child Process of dns.exe", + "note": "### Investigating Unusual Child Process\nDetection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).\n- Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.\n- If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.\n- Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint.", + "query": "event.category:process and event.type:start and process.parent.name:dns.exe and not process.name:conhost.exe", + "references": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", + "https://github.com/maxpl0it/CVE-2020-1350-DoS" + ], + "risk_score": 73, + "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-8c81e506-6e82-4884-9b9a-75d3d252f967.json b/packages/security_detection_engine/kibana/security_rule/rule-8c81e506-6e82-4884-9b9a-75d3d252f967.json index b996699a7f2..23c2490ee6f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-8c81e506-6e82-4884-9b9a-75d3d252f967.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-8c81e506-6e82-4884-9b9a-75d3d252f967.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential SharpRDP Behavior", - "query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n [network where event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and \n network.direction == \"incoming\" and network.transport == \"tcp\" and\n source.address != \"127.0.0.1\" and source.address != \"::1\"\n ]\n\n [registry where process.name : \"explorer.exe\" and \n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n ]\n \n [process where event.type in (\"start\", \"process_started\") and\n (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and \n not process.name : \"conhost.exe\"\n ]\n", - "references": [ - "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx" - ], - "risk_score": 73, - "rule_id": "8c81e506-6e82-4884-9b9a-75d3d252f967", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential SharpRDP Behavior", + "query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n [network where event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and \n network.direction == \"incoming\" and network.transport == \"tcp\" and\n source.address != \"127.0.0.1\" and source.address != \"::1\"\n ]\n\n [registry where process.name : \"explorer.exe\" and \n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n ]\n \n [process where event.type in (\"start\", \"process_started\") and\n (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and \n not process.name : \"conhost.exe\"\n ]\n", + "references": [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx" + ], + "risk_score": 73, + "rule_id": "8c81e506-6e82-4884-9b9a-75d3d252f967", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "8c81e506-6e82-4884-9b9a-75d3d252f967", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-8cb4f625-7743-4dfb-ae1b-ad92be9df7bd.json b/packages/security_detection_engine/kibana/security_rule/rule-8cb4f625-7743-4dfb-ae1b-ad92be9df7bd.json index 75ce149f767..7530de7b173 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-8cb4f625-7743-4dfb-ae1b-ad92be9df7bd.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-8cb4f625-7743-4dfb-ae1b-ad92be9df7bd.json @@ -1,24 +1,28 @@ { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected Ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Ransomware - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)", - "risk_score": 99, - "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", - "severity": "critical", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Ransomware - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)", + "risk_score": 99, + "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", + "severity": "critical", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 5 + }, + "id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-8ddab73b-3d15-4e5d-9413-47f05553c1d7.json b/packages/security_detection_engine/kibana/security_rule/rule-8ddab73b-3d15-4e5d-9413-47f05553c1d7.json index c1c96ee9a04..bc6eb63d8df 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-8ddab73b-3d15-4e5d-9413-47f05553c1d7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-8ddab73b-3d15-4e5d-9413-47f05553c1d7.json @@ -1,36 +1,40 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Automation Runbook Deleted", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE\" and event.outcome:(Success or success)", - "references": [ - "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", - "https://github.com/hausec/PowerZure", - "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", - "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" - ], - "risk_score": 21, - "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Automation Runbook Deleted", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE\" and event.outcome:(Success or success)", + "references": [ + "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", + "https://github.com/hausec/PowerZure", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" + ], + "risk_score": 21, + "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-8f3e91c7-d791-4704-80a1-42c160d7aa27.json b/packages/security_detection_engine/kibana/security_rule/rule-8f3e91c7-d791-4704-80a1-42c160d7aa27.json index dc73437c3c7..6c195b0321f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-8f3e91c7-d791-4704-80a1-42c160d7aa27.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-8f3e91c7-d791-4704-80a1-42c160d7aa27.json @@ -1,78 +1,82 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Port Monitor or Print Processor Registration Abuse", - "query": "registry where event.type in (\"creation\", \"change\") and\n registry.path : (\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"HLLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\") and\n registry.data.strings : \"*.dll\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", - "references": [ - "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" - ], - "risk_score": 47, - "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Port Monitor or Print Processor Registration Abuse", + "query": "registry where event.type in (\"creation\", \"change\") and\n registry.path : (\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"HLLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\") and\n registry.data.strings : \"*.dll\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "references": [ + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" + ], + "risk_score": 47, + "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.010", + "name": "Port Monitors", + "reference": "https://attack.mitre.org/techniques/T1547/010/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.010", - "name": "Port Monitors", - "reference": "https://attack.mitre.org/techniques/T1547/010/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.010", - "name": "Port Monitors", - "reference": "https://attack.mitre.org/techniques/T1547/010/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.010", + "name": "Port Monitors", + "reference": "https://attack.mitre.org/techniques/T1547/010/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-8f919d4b-a5af-47ca-a594-6be59cd924a4.json b/packages/security_detection_engine/kibana/security_rule/rule-8f919d4b-a5af-47ca-a594-6be59cd924a4.json index 70d29aee6dc..62c3e838b13 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-8f919d4b-a5af-47ca-a594-6be59cd924a4.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-8f919d4b-a5af-47ca-a594-6be59cd924a4.json @@ -1,48 +1,52 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "query": "sequence by host.id with maxspan=5s\n [network where event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction == \"incoming\" and network.transport == \"tcp\" and\n source.port \u003e 49151 and destination.port \u003e 49151 and not source.address in (\"127.0.0.1\", \"::1\")\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", - "references": [ - "https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/" - ], - "risk_score": 47, - "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", + "query": "sequence by host.id with maxspan=5s\n [network where event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction == \"incoming\" and network.transport == \"tcp\" and\n source.port \u003e 49151 and destination.port \u003e 49151 and not source.address in (\"127.0.0.1\", \"::1\")\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", + "references": [ + "https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/" + ], + "risk_score": 47, + "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "8f919d4b-a5af-47ca-a594-6be59cd924a4", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-8fb75dda-c47a-4e34-8ecd-34facf7aad13.json b/packages/security_detection_engine/kibana/security_rule/rule-8fb75dda-c47a-4e34-8ecd-34facf7aad13.json index e7afbd075a8..31a088fefc0 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-8fb75dda-c47a-4e34-8ecd-34facf7aad13.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-8fb75dda-c47a-4e34-8ecd-34facf7aad13.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.", - "false_positives": [ - "Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Service Account Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success", - "references": [ - "https://cloud.google.com/iam/docs/service-accounts" - ], - "risk_score": 47, - "rule_id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.", + "false_positives": [ + "Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Service Account Deletion", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success", + "references": [ + "https://cloud.google.com/iam/docs/service-accounts" + ], + "risk_score": 47, + "rule_id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-90169566-2260-4824-b8e4-8615c3b4ed52.json b/packages/security_detection_engine/kibana/security_rule/rule-90169566-2260-4824-b8e4-8615c3b4ed52.json index 22448fddc05..57ad9a46887 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-90169566-2260-4824-b8e4-8615c3b4ed52.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-90169566-2260-4824-b8e4-8615c3b4ed52.json @@ -1,33 +1,37 @@ { - "author": [ - "Elastic" - ], - "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", - "false_positives": [ - "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Hping Process Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)", - "references": [ - "https://en.wikipedia.org/wiki/Hping" - ], - "risk_score": 73, - "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", + "false_positives": [ + "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Hping Process Activity", + "query": "event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)", + "references": [ + "https://en.wikipedia.org/wiki/Hping" + ], + "risk_score": 73, + "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "90169566-2260-4824-b8e4-8615c3b4ed52", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9055ece6-2689-4224-a0e0-b04881e1f8ad.json b/packages/security_detection_engine/kibana/security_rule/rule-9055ece6-2689-4224-a0e0-b04881e1f8ad.json index 3945e51a63c..75a507209fe 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9055ece6-2689-4224-a0e0-b04881e1f8ad.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9055ece6-2689-4224-a0e0-b04881e1f8ad.json @@ -1,57 +1,61 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster or global database cluster.", - "false_positives": [ - "Clusters may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS RDS Cluster Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html" - ], - "risk_score": 47, - "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Asset Visibility" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1485", - "name": "Data Destruction", - "reference": "https://attack.mitre.org/techniques/T1485/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster or global database cluster.", + "false_positives": [ + "Clusters may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Cluster Deletion", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html" + ], + "risk_score": 47, + "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "9055ece6-2689-4224-a0e0-b04881e1f8ad", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9092cd6c-650f-4fa3-8a8a-28256c7489c9.json b/packages/security_detection_engine/kibana/security_rule/rule-9092cd6c-650f-4fa3-8a8a-28256c7489c9.json index 6d24f442415..992e301fddd 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9092cd6c-650f-4fa3-8a8a-28256c7489c9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9092cd6c-650f-4fa3-8a8a-28256c7489c9.json @@ -1,61 +1,65 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", - "false_positives": [ - "Trusted parent processes accessing their respective application passwords." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Keychain Password Retrieval via Command Line", - "query": "event.category:process and event.type:(start or process_started) and process.name:security and process.args:(\"find-generic-password\" or \"find-internet-password\")", - "references": [ - "https://www.netmeister.org/blog/keychain-passwords.html", - "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py", - "https://ss64.com/osx/security.html", - "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/" - ], - "risk_score": 73, - "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.001", - "name": "Keychain", - "reference": "https://attack.mitre.org/techniques/T1555/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", + "false_positives": [ + "Trusted parent processes accessing their respective application passwords." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Keychain Password Retrieval via Command Line", + "query": "event.category:process and event.type:(start or process_started) and process.name:security and process.args:(\"find-generic-password\" or \"find-internet-password\")", + "references": [ + "https://www.netmeister.org/blog/keychain-passwords.html", + "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py", + "https://ss64.com/osx/security.html", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/" + ], + "risk_score": 73, + "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-90e28af7-1d96-4582-bf11-9a1eff21d0e5.json b/packages/security_detection_engine/kibana/security_rule/rule-90e28af7-1d96-4582-bf11-9a1eff21d0e5.json index 10cc21dc204..e7a8785bcc4 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-90e28af7-1d96-4582-bf11-9a1eff21d0e5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-90e28af7-1d96-4582-bf11-9a1eff21d0e5.json @@ -1,61 +1,65 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies that a login attempt occurred at a forbidden time.", - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Auditd Login Attempt at Forbidden Time", - "query": "event.module:auditd and event.action:\"attempted-log-in-during-unusual-hour-to\"", - "references": [ - "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666" - ], - "risk_score": 47, - "rule_id": "90e28af7-1d96-4582-bf11-9a1eff21d0e5", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies that a login attempt occurred at a forbidden time.", + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Auditd Login Attempt at Forbidden Time", + "query": "event.module:auditd and event.action:\"attempted-log-in-during-unusual-hour-to\"", + "references": [ + "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666" + ], + "risk_score": 47, + "rule_id": "90e28af7-1d96-4582-bf11-9a1eff21d0e5", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "90e28af7-1d96-4582-bf11-9a1eff21d0e5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json b/packages/security_detection_engine/kibana/security_rule/rule-9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json index a378773b953..df533235504 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json @@ -1,36 +1,40 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a Virtual Private Cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.", - "false_positives": [ - "Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Virtual Private Cloud Route Creation", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or beta.compute.routes.insert)", - "references": [ - "https://cloud.google.com/vpc/docs/routes", - "https://cloud.google.com/vpc/docs/using-routes" - ], - "risk_score": 21, - "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Virtual Private Cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.", + "false_positives": [ + "Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Virtual Private Cloud Route Creation", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or beta.compute.routes.insert)", + "references": [ + "https://cloud.google.com/vpc/docs/routes", + "https://cloud.google.com/vpc/docs/using-routes" + ], + "risk_score": 21, + "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-91d04cd4-47a9-4334-ab14-084abe274d49.json b/packages/security_detection_engine/kibana/security_rule/rule-91d04cd4-47a9-4334-ab14-084abe274d49.json index df20155a8d8..ee3d6ccacd3 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-91d04cd4-47a9-4334-ab14-084abe274d49.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-91d04cd4-47a9-4334-ab14-084abe274d49.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.", - "false_positives": [ - "Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS WAF Access Control List Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html", - "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html" - ], - "risk_score": 47, - "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Network Security" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.", + "false_positives": [ + "Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS WAF Access Control List Deletion", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html", + "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html" + ], + "risk_score": 47, + "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "91d04cd4-47a9-4334-ab14-084abe274d49", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-91f02f01-969f-4167-8d77-07827ac4cee0.json b/packages/security_detection_engine/kibana/security_rule/rule-91f02f01-969f-4167-8d77-07827ac4cee0.json index 05a2814843d..fd2140c01f2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-91f02f01-969f-4167-8d77-07827ac4cee0.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-91f02f01-969f-4167-8d77-07827ac4cee0.json @@ -1,29 +1,33 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.", - "false_positives": [ - "Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "packetbeat_rare_user_agent", - "name": "Unusual Web User Agent", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0", - "severity": "low", - "tags": [ - "Elastic", - "Network", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.", + "false_positives": [ + "Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_user_agent", + "name": "Unusual Web User Agent", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "91f02f01-969f-4167-8d77-07827ac4cee0", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-91f02f01-969f-4167-8f55-07827ac3acc9.json b/packages/security_detection_engine/kibana/security_rule/rule-91f02f01-969f-4167-8f55-07827ac3acc9.json index 0d1365ff504..79a561a1789 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-91f02f01-969f-4167-8f55-07827ac3acc9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-91f02f01-969f-4167-8f55-07827ac3acc9.json @@ -1,29 +1,33 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.", - "false_positives": [ - "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "packetbeat_rare_urls", - "name": "Unusual Web Request", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9", - "severity": "low", - "tags": [ - "Elastic", - "Network", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.", + "false_positives": [ + "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_urls", + "name": "Unusual Web Request", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "91f02f01-969f-4167-8f55-07827ac3acc9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-91f02f01-969f-4167-8f66-07827ac3bdd9.json b/packages/security_detection_engine/kibana/security_rule/rule-91f02f01-969f-4167-8f66-07827ac3bdd9.json index 2104ae3eba4..0e4246cf07d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-91f02f01-969f-4167-8f66-07827ac3bdd9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-91f02f01-969f-4167-8f66-07827ac3bdd9.json @@ -1,29 +1,33 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.", - "false_positives": [ - "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "packetbeat_dns_tunneling", - "name": "DNS Tunneling", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9", - "severity": "low", - "tags": [ - "Elastic", - "Network", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.", + "false_positives": [ + "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_dns_tunneling", + "name": "DNS Tunneling", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "91f02f01-969f-4167-8f66-07827ac3bdd9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4.json b/packages/security_detection_engine/kibana/security_rule/rule-931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4.json index 63199ab938b..0a189a71ce6 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Sudoers File Modification", - "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)", - "risk_score": 47, - "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "macOS", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.003", - "name": "Sudo and Sudo Caching", - "reference": "https://attack.mitre.org/techniques/T1548/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Sudoers File Modification", + "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)", + "risk_score": 47, + "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9395fd2c-9947-4472-86ef-4aceb2f7e872.json b/packages/security_detection_engine/kibana/security_rule/rule-9395fd2c-9947-4472-86ef-4aceb2f7e872.json index 09189935a3a..71929e48034 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9395fd2c-9947-4472-86ef-4aceb2f7e872.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9395fd2c-9947-4472-86ef-4aceb2f7e872.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS EC2 Flow Log Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html" - ], - "risk_score": 73, - "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872", - "severity": "high", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 Flow Log Deletion", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html" + ], + "risk_score": 73, + "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "9395fd2c-9947-4472-86ef-4aceb2f7e872", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-93b22c0a-06a0-4131-b830-b10d5e166ff4.json b/packages/security_detection_engine/kibana/security_rule/rule-93b22c0a-06a0-4131-b830-b10d5e166ff4.json index 787b021eb71..366aea30b7e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-93b22c0a-06a0-4131-b830-b10d5e166ff4.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-93b22c0a-06a0-4131-b830-b10d5e166ff4.json @@ -1,75 +1,79 @@ { - "author": [ - "Elastic" - ], - "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.", - "false_positives": [ - "Trusted SolarWinds child processes, verify process details such as network connections and file writes." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious SolarWinds Child Process", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.name : (\n \"APMServiceControl*.exe\",\n \"ExportToPDFCmd*.Exe\",\n \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n \"SolarWinds.Orion.Topology.Calculator*.exe\",\n \"Database-Maint.exe\",\n \"SolarWinds.Orion.ApiPoller.Service.exe\",\n \"WerFault.exe\",\n \"WerMgr.exe\")\n", - "references": [ - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc" - ], - "risk_score": 47, - "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.", + "false_positives": [ + "Trusted SolarWinds child processes, verify process details such as network connections and file writes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious SolarWinds Child Process", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.name : (\n \"APMServiceControl*.exe\",\n \"ExportToPDFCmd*.Exe\",\n \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n \"SolarWinds.Orion.Topology.Calculator*.exe\",\n \"Database-Maint.exe\",\n \"SolarWinds.Orion.ApiPoller.Service.exe\",\n \"WerFault.exe\",\n \"WerMgr.exe\")\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc" + ], + "risk_score": 47, + "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] }, - "technique": [ - { - "id": "T1106", - "name": "Native API", - "reference": "https://attack.mitre.org/techniques/T1106/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1195", - "name": "Supply Chain Compromise", - "reference": "https://attack.mitre.org/techniques/T1195/", - "subtechnique": [ - { - "id": "T1195.002", - "name": "Compromise Software Supply Chain", - "reference": "https://attack.mitre.org/techniques/T1195/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-93c1ce76-494c-4f01-8167-35edfb52f7b1.json b/packages/security_detection_engine/kibana/security_rule/rule-93c1ce76-494c-4f01-8167-35edfb52f7b1.json index 76931a756bb..628152d3041 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-93c1ce76-494c-4f01-8167-35edfb52f7b1.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-93c1ce76-494c-4f01-8167-35edfb52f7b1.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Encoded Executable Stored in the Registry", - "query": "registry where\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", - "risk_score": 47, - "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Encoded Executable Stored in the Registry", + "query": "registry where\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", + "risk_score": 47, + "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-93e63c3e-4154-4fc6-9f86-b411e0987bbf.json b/packages/security_detection_engine/kibana/security_rule/rule-93e63c3e-4154-4fc6-9f86-b411e0987bbf.json index 4cc361f34a5..bdfc5f5f5e9 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-93e63c3e-4154-4fc6-9f86-b411e0987bbf.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-93e63c3e-4154-4fc6-9f86-b411e0987bbf.json @@ -1,37 +1,41 @@ { - "author": [ - "Elastic" - ], - "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.", - "false_positives": [ - "Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Admin Role Deletion", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", - "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:DELETE_ROLE", - "references": [ - "https://support.google.com/a/answer/2406043?hl=en" - ], - "risk_score": 47, - "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.", + "false_positives": [ + "Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Admin Role Deletion", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:DELETE_ROLE", + "references": [ + "https://support.google.com/a/answer/2406043?hl=en" + ], + "risk_score": 47, + "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-93f47b6f-5728-4004-ba00-625083b3dcb0.json b/packages/security_detection_engine/kibana/security_rule/rule-93f47b6f-5728-4004-ba00-625083b3dcb0.json index ac1d399511e..3222e997565 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-93f47b6f-5728-4004-ba00-625083b3dcb0.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-93f47b6f-5728-4004-ba00-625083b3dcb0.json @@ -1,71 +1,75 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.", - "false_positives": [ - "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Modification of Standard Authentication Module or Configuration", - "query": "event.category:file and event.type:change and (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and process.executable: (* and not ( /bin/yum or \"/usr/sbin/pam-auth-update\" or /usr/libexec/packagekitd or /usr/bin/dpkg or /usr/bin/vim or /usr/libexec/xpcproxy or /usr/bin/bsdtar or /usr/local/bin/brew ) )", - "references": [ - "https://github.com/zephrax/linux-pam-backdoor", - "https://github.com/eurialo/pambd", - "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", - "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html" - ], - "risk_score": 47, - "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Linux", - "Threat Detection", - "Credential Access", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.", + "false_positives": [ + "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Standard Authentication Module or Configuration", + "query": "event.category:file and event.type:change and (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and process.executable: (* and not ( /bin/yum or \"/usr/sbin/pam-auth-update\" or /usr/libexec/packagekitd or /usr/bin/dpkg or /usr/bin/vim or /usr/libexec/xpcproxy or /usr/bin/bsdtar or /usr/local/bin/brew ) )", + "references": [ + "https://github.com/zephrax/linux-pam-backdoor", + "https://github.com/eurialo/pambd", + "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", + "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html" + ], + "risk_score": 47, + "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Linux", + "Threat Detection", + "Credential Access", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "93f47b6f-5728-4004-ba00-625083b3dcb0", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-954ee7c8-5437-49ae-b2d6-2960883898e9.json b/packages/security_detection_engine/kibana/security_rule/rule-954ee7c8-5437-49ae-b2d6-2960883898e9.json index 9adf40490be..682c6e9a04a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-954ee7c8-5437-49ae-b2d6-2960883898e9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-954ee7c8-5437-49ae-b2d6-2960883898e9.json @@ -1,61 +1,65 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote Scheduled Task Creation", - "note": "Decode the base64 encoded tasks actions registry value to investigate the task configured action.", - "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where process.name : \"svchost.exe\" and\n network.direction == \"incoming\" and source.port \u003e= 49152 and destination.port \u003e= 49152 and\n source.address != \"127.0.0.1\" and source.address != \"::1\"\n ]\n [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", - "risk_score": 47, - "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Scheduled Task Creation", + "note": "Decode the base64 encoded tasks actions registry value to investigate the task configured action.", + "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where process.name : \"svchost.exe\" and\n network.direction == \"incoming\" and source.port \u003e= 49152 and destination.port \u003e= 49152 and\n source.address != \"127.0.0.1\" and source.address != \"::1\"\n ]\n [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", + "risk_score": 47, + "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/" - } - ] - } - ], - "type": "eql", - "version": 2 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "954ee7c8-5437-49ae-b2d6-2960883898e9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json b/packages/security_detection_engine/kibana/security_rule/rule-96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json index 43baba1dbd0..fd7bca572c5 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.", - "false_positives": [ - "If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Create Okta API Token", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:system.api_token.create", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 47, - "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", - "severity": "medium", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.", + "false_positives": [ + "If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Create Okta API Token", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:system.api_token.create", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 47, + "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-96e90768-c3b7-4df6-b5d9-6237f8bc36a8.json b/packages/security_detection_engine/kibana/security_rule/rule-96e90768-c3b7-4df6-b5d9-6237f8bc36a8.json index fda0c2b716a..8ded29c4d87 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-96e90768-c3b7-4df6-b5d9-6237f8bc36a8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-96e90768-c3b7-4df6-b5d9-6237f8bc36a8.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Access to Keychain Credentials Directories", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable : \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\"\n", - "references": [ - "https://objective-see.com/blog/blog_0x25.html", - "https://securelist.com/calisto-trojan-for-macos/86543/" - ], - "risk_score": 73, - "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.001", - "name": "Keychain", - "reference": "https://attack.mitre.org/techniques/T1555/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Access to Keychain Credentials Directories", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable : \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\"\n", + "references": [ + "https://objective-see.com/blog/blog_0x25.html", + "https://securelist.com/calisto-trojan-for-macos/86543/" + ], + "risk_score": 73, + "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-97314185-2568-4561-ae81-f3e480e5e695.json b/packages/security_detection_engine/kibana/security_rule/rule-97314185-2568-4561-ae81-f3e480e5e695.json index fbca85e5f65..0a8e5824c05 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-97314185-2568-4561-ae81-f3e480e5e695.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-97314185-2568-4561-ae81-f3e480e5e695.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.", - "false_positives": [ - "An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", - "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps" - ], - "risk_score": 47, - "rule_id": "97314185-2568-4561-ae81-f3e480e5e695", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.", + "false_positives": [ + "An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Anti-Phish Rule Modification", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps" + ], + "risk_score": 47, + "rule_id": "97314185-2568-4561-ae81-f3e480e5e695", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "97314185-2568-4561-ae81-f3e480e5e695", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-97359fd8-757d-4b1d-9af1-ef29e4a8680e.json b/packages/security_detection_engine/kibana/security_rule/rule-97359fd8-757d-4b1d-9af1-ef29e4a8680e.json index 8980fe3d4fe..317abcb6b93 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-97359fd8-757d-4b1d-9af1-ef29e4a8680e.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-97359fd8-757d-4b1d-9af1-ef29e4a8680e.json @@ -1,35 +1,39 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.", - "false_positives": [ - "Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Storage Bucket Configuration Modification", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.update and event.outcome:success", - "references": [ - "https://cloud.google.com/storage/docs/key-terms#buckets" - ], - "risk_score": 47, - "rule_id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.", + "false_positives": [ + "Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Storage Bucket Configuration Modification", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.update and event.outcome:success", + "references": [ + "https://cloud.google.com/storage/docs/key-terms#buckets" + ], + "risk_score": 47, + "rule_id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json b/packages/security_detection_engine/kibana/security_rule/rule-97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json index 34a09993d58..7fd0e7f0e56 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json @@ -1,51 +1,55 @@ { - "author": [ - "Elastic" - ], - "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Zoom Child Process", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\")\n", - "risk_score": 47, - "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Zoom Child Process", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\")\n", + "risk_score": 47, + "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" }, - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + }, + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-97f22dab-84e8-409d-955e-dacd1d31670b.json b/packages/security_detection_engine/kibana/security_rule/rule-97f22dab-84e8-409d-955e-dacd1d31670b.json index c53fac7f28e..ed83e34bbe2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-97f22dab-84e8-409d-955e-dacd1d31670b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-97f22dab-84e8-409d-955e-dacd1d31670b.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", - "false_positives": [ - "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Base64 Encoding/Decoding Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem)", - "risk_score": 21, - "rule_id": "97f22dab-84e8-409d-955e-dacd1d31670b", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", + "false_positives": [ + "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Base64 Encoding/Decoding Activity", + "query": "event.category:process and event.type:(start or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem)", + "risk_score": 21, + "rule_id": "97f22dab-84e8-409d-955e-dacd1d31670b", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" }, - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "technique": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + }, + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "97f22dab-84e8-409d-955e-dacd1d31670b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-97fc44d3-8dae-4019-ae83-298c3015600f.json b/packages/security_detection_engine/kibana/security_rule/rule-97fc44d3-8dae-4019-ae83-298c3015600f.json index 328d7bc9968..982d7e3b7f5 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-97fc44d3-8dae-4019-ae83-298c3015600f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-97fc44d3-8dae-4019-ae83-298c3015600f.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Startup or Run Key Registry Modification", - "query": "/* uncomment length once stable */\nregistry where /* length(registry.data.strings) \u003e 0 and */\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\", \n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add here common legit changes without making too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n user.domain != \"NT AUTHORITY\" and\n not registry.data.strings : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", - "risk_score": 21, - "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Startup or Run Key Registry Modification", + "query": "/* uncomment length once stable */\nregistry where /* length(registry.data.strings) \u003e 0 and */\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\", \n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add here common legit changes without making too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n user.domain != \"NT AUTHORITY\" and\n not registry.data.strings : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", + "risk_score": 21, + "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "97fc44d3-8dae-4019-ae83-298c3015600f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9890ee61-d061-403d-9bf6-64934c51f638.json b/packages/security_detection_engine/kibana/security_rule/rule-9890ee61-d061-403d-9bf6-64934c51f638.json index 270ddf62d09..76b3c9eb802 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9890ee61-d061-403d-9bf6-64934c51f638.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9890ee61-d061-403d-9bf6-64934c51f638.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.", - "false_positives": [ - "Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP IAM Service Account Key Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success", - "references": [ - "https://cloud.google.com/iam/docs/service-accounts", - "https://cloud.google.com/iam/docs/creating-managing-service-account-keys" - ], - "risk_score": 21, - "rule_id": "9890ee61-d061-403d-9bf6-64934c51f638", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.", + "false_positives": [ + "Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP IAM Service Account Key Deletion", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success", + "references": [ + "https://cloud.google.com/iam/docs/service-accounts", + "https://cloud.google.com/iam/docs/creating-managing-service-account-keys" + ], + "risk_score": 21, + "rule_id": "9890ee61-d061-403d-9bf6-64934c51f638", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "9890ee61-d061-403d-9bf6-64934c51f638", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-98995807-5b09-4e37-8a54-5cae5dc932d7.json b/packages/security_detection_engine/kibana/security_rule/rule-98995807-5b09-4e37-8a54-5cae5dc932d7.json index b2db89c3c95..aac51a52a3b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-98995807-5b09-4e37-8a54-5cae5dc932d7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-98995807-5b09-4e37-8a54-5cae5dc932d7.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.", - "false_positives": [ - "A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Management Group Role Assignment", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", - "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide" - ], - "risk_score": 47, - "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.", + "false_positives": [ + "A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Management Group Role Assignment", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide" + ], + "risk_score": 47, + "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "98995807-5b09-4e37-8a54-5cae5dc932d7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-98fd7407-0bd5-5817-cda0-3fcc33113a56.json b/packages/security_detection_engine/kibana/security_rule/rule-98fd7407-0bd5-5817-cda0-3fcc33113a56.json index 079f8843b3b..a27b68c497f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-98fd7407-0bd5-5817-cda0-3fcc33113a56.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-98fd7407-0bd5-5817-cda0-3fcc33113a56.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.", - "false_positives": [ - "IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS EC2 Snapshot Activity", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html" - ], - "risk_score": 47, - "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Asset Visibility" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1537", - "name": "Transfer Data to Cloud Account", - "reference": "https://attack.mitre.org/techniques/T1537/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.", + "false_positives": [ + "IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 Snapshot Activity", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html" + ], + "risk_score": 47, + "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "98fd7407-0bd5-5817-cda0-3fcc33113a56", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-990838aa-a953-4f3e-b3cb-6ddf7584de9e.json b/packages/security_detection_engine/kibana/security_rule/rule-990838aa-a953-4f3e-b3cb-6ddf7584de9e.json index a414398d61b..df62d1eacd3 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-990838aa-a953-4f3e-b3cb-6ddf7584de9e.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-990838aa-a953-4f3e-b3cb-6ddf7584de9e.json @@ -1,24 +1,28 @@ { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Process Injection - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)", - "risk_score": 47, - "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", - "severity": "medium", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Process Injection - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)", + "risk_score": 47, + "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 5 + }, + "id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-99239e7d-b0d4-46e3-8609-acafcf99f68c.json b/packages/security_detection_engine/kibana/security_rule/rule-99239e7d-b0d4-46e3-8609-acafcf99f68c.json index 5aff0e74b33..56d3acb0937 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-99239e7d-b0d4-46e3-8609-acafcf99f68c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-99239e7d-b0d4-46e3-8609-acafcf99f68c.json @@ -1,79 +1,83 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when the built in macOS Installer program generates a network event after attempting to install a .pkg file. This activity has been observed being leveraged by malware.", - "false_positives": [ - "Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "macOS Installer Spawns Network Event", - "query": "sequence by process.entity_id with maxspan=1m\n [ process where event.type == \"start\" and host.os.family == \"macos\" and \n process.parent.executable in (\"/usr/sbin/installer\", \"/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer\") ]\n [ network where not cidrmatch(destination.ip,\n \"192.168.0.0/16\",\n \"10.0.0.0/8\",\n \"172.16.0.0/12\",\n \"224.0.0.0/8\",\n \"127.0.0.0/8\",\n \"169.254.0.0/16\",\n \"::1\",\n \"FE80::/10\",\n \"FF00::/8\") ]\n", - "references": [ - "https://redcanary.com/blog/clipping-silver-sparrows-wings" - ], - "risk_score": 47, - "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the built in macOS Installer program generates a network event after attempting to install a .pkg file. This activity has been observed being leveraged by malware.", + "false_positives": [ + "Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "macOS Installer Spawns Network Event", + "query": "sequence by process.entity_id with maxspan=1m\n [ process where event.type == \"start\" and host.os.family == \"macos\" and \n process.parent.executable in (\"/usr/sbin/installer\", \"/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer\") ]\n [ network where not cidrmatch(destination.ip,\n \"192.168.0.0/16\",\n \"10.0.0.0/8\",\n \"172.16.0.0/12\",\n \"224.0.0.0/8\",\n \"127.0.0.0/8\",\n \"169.254.0.0/16\",\n \"::1\",\n \"FE80::/10\",\n \"FF00::/8\") ]\n", + "references": [ + "https://redcanary.com/blog/clipping-silver-sparrows-wings" + ], + "risk_score": 47, + "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.007", + "name": "JavaScript/JScript", + "reference": "https://attack.mitre.org/techniques/T1059/007/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.007", - "name": "JavaScript/JScript", - "reference": "https://attack.mitre.org/techniques/T1059/007/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/", - "subtechnique": [ - { - "id": "T1071.001", - "name": "Web Protocols", - "reference": "https://attack.mitre.org/techniques/T1071/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "99239e7d-b0d4-46e3-8609-acafcf99f68c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9a1a2dae-0b5f-4c3d-8305-a268d404c306.json b/packages/security_detection_engine/kibana/security_rule/rule-9a1a2dae-0b5f-4c3d-8305-a268d404c306.json index d5750147f2b..5b7636c7a94 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9a1a2dae-0b5f-4c3d-8305-a268d404c306.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9a1a2dae-0b5f-4c3d-8305-a268d404c306.json @@ -1,68 +1,72 @@ { - "author": [ - "Elastic" - ], - "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", - "enabled": true, - "exceptions_list": [ - { - "id": "endpoint_list", - "list_id": "endpoint_list", - "namespace_type": "agnostic", - "type": "endpoint" - } - ], - "from": "now-10m", - "index": [ - "logs-endpoint.alerts-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Endpoint Security", - "query": "event.kind:alert and event.module:(endpoint and not endgame)", - "risk_score": 47, - "risk_score_mapping": [ - { - "field": "event.risk_score", - "operator": "equals", - "value": "" - } - ], - "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306", - "rule_name_override": "message", - "severity": "medium", - "severity_mapping": [ - { - "field": "event.severity", - "operator": "equals", - "severity": "low", - "value": "21" - }, - { - "field": "event.severity", - "operator": "equals", - "severity": "medium", - "value": "47" - }, - { - "field": "event.severity", - "operator": "equals", - "severity": "high", - "value": "73" - }, - { - "field": "event.severity", - "operator": "equals", - "severity": "critical", - "value": "99" - } - ], - "tags": [ - "Elastic", - "Endpoint Security" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", + "enabled": true, + "exceptions_list": [ + { + "id": "endpoint_list", + "list_id": "endpoint_list", + "namespace_type": "agnostic", + "type": "endpoint" + } + ], + "from": "now-10m", + "index": [ + "logs-endpoint.alerts-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Endpoint Security", + "query": "event.kind:alert and event.module:(endpoint and not endgame)", + "risk_score": 47, + "risk_score_mapping": [ + { + "field": "event.risk_score", + "operator": "equals", + "value": "" + } + ], + "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306", + "rule_name_override": "message", + "severity": "medium", + "severity_mapping": [ + { + "field": "event.severity", + "operator": "equals", + "severity": "low", + "value": "21" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "medium", + "value": "47" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "high", + "value": "73" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "critical", + "value": "99" + } + ], + "tags": [ + "Elastic", + "Endpoint Security" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9a5b4e31-6cde-4295-9ff7-6be1b8567e1b.json b/packages/security_detection_engine/kibana/security_rule/rule-9a5b4e31-6cde-4295-9ff7-6be1b8567e1b.json index 839738b4433..fbbab5a6fb0 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9a5b4e31-6cde-4295-9ff7-6be1b8567e1b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9a5b4e31-6cde-4295-9ff7-6be1b8567e1b.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Explorer Child Process", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\"\n", - "risk_score": 47, - "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - }, - { - "id": "T1566.002", - "name": "Spearphishing Link", - "reference": "https://attack.mitre.org/techniques/T1566/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Explorer Child Process", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\"\n", + "risk_score": 47, + "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9aa0e1f6-52ce-42e1-abb3-09657cee2698.json b/packages/security_detection_engine/kibana/security_rule/rule-9aa0e1f6-52ce-42e1-abb3-09657cee2698.json index fba2b139f38..d649350a964 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9aa0e1f6-52ce-42e1-abb3-09657cee2698.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9aa0e1f6-52ce-42e1-abb3-09657cee2698.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Scheduled Tasks AT Command Enabled", - "query": "registry where \n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\" and registry.data.strings == \"1\"\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob" - ], - "risk_score": 47, - "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Scheduled Tasks AT Command Enabled", + "query": "registry where \n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\" and registry.data.strings == \"1\"\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob" + ], + "risk_score": 47, + "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json b/packages/security_detection_engine/kibana/security_rule/rule-9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json index 8549eb96f45..941da0d4d3d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via WMI Event Subscription", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", - "risk_score": 21, - "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via WMI Event Subscription", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", + "risk_score": 21, + "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9c260313-c811-4ec8-ab89-8f6530e0246c.json b/packages/security_detection_engine/kibana/security_rule/rule-9c260313-c811-4ec8-ab89-8f6530e0246c.json index a4788a62e59..1980a45ac47 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9c260313-c811-4ec8-ab89-8f6530e0246c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9c260313-c811-4ec8-ab89-8f6530e0246c.json @@ -1,60 +1,64 @@ { - "author": [ - "Elastic" - ], - "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Hosts File Modified", - "note": "For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml.", - "query": "event.category:file and event.type:(change or creation) and file.path:(\"/private/etc/hosts\" or \"/etc/hosts\" or \"C:\\Windows\\System32\\drivers\\etc\\hosts\")", - "references": [ - "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html" - ], - "risk_score": 47, - "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Windows", - "macOS", - "Threat Detection", - "Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1565", - "name": "Data Manipulation", - "reference": "https://attack.mitre.org/techniques/T1565/", - "subtechnique": [ - { - "id": "T1565.001", - "name": "Stored Data Manipulation", - "reference": "https://attack.mitre.org/techniques/T1565/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Hosts File Modified", + "note": "For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml.", + "query": "event.category:file and event.type:(change or creation) and file.path:(\"/private/etc/hosts\" or \"/etc/hosts\" or \"C:\\Windows\\System32\\drivers\\etc\\hosts\")", + "references": [ + "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html" + ], + "risk_score": 47, + "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Windows", + "macOS", + "Threat Detection", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1565", + "name": "Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/", + "subtechnique": [ + { + "id": "T1565.001", + "name": "Stored Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "9c260313-c811-4ec8-ab89-8f6530e0246c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9ccf3ce0-0057-440a-91f5-870c6ad39093.json b/packages/security_detection_engine/kibana/security_rule/rule-9ccf3ce0-0057-440a-91f5-870c6ad39093.json index e7e42724658..bee306b4184 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9ccf3ce0-0057-440a-91f5-870c6ad39093.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9ccf3ce0-0057-440a-91f5-870c6ad39093.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.", - "false_positives": [ - "Microsoft Windows installers leveraging RunDLL32 for installation." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Command Shell Activity Started via RunDLL32", - "query": "process where event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", - "risk_score": 21, - "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.", + "false_positives": [ + "Microsoft Windows installers leveraging RunDLL32 for installation." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Command Shell Activity Started via RunDLL32", + "query": "process where event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", + "risk_score": 21, + "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1.json b/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1.json index b36708318a4..47ee54942e7 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies possibly suspicious activity using trusted Windows developer activity.", - "false_positives": [ - "These programs may be used by Windows developers but use by non-engineers is unusual." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Trusted Developer Application Usage", - "query": "event.category:process and event.type:(start or process_started) and process.name:(MSBuild.exe or msxsl.exe)", - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies possibly suspicious activity using trusted Windows developer activity.", + "false_positives": [ + "These programs may be used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Trusted Developer Application Usage", + "query": "event.category:process and event.type:(start or process_started) and process.name:(MSBuild.exe or msxsl.exe)", + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json b/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json index a66bf86f15e..a22ddb599b9 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft Build Engine Started by a Script Process", - "query": "event.category:process and event.type: start and process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe)", - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started by a Script Process", + "query": "event.category:process and event.type: start and process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe)", + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json b/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json index 1b5c1e2a856..5eed9b67073 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft Build Engine Started by a System Process", - "query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe)", - "risk_score": 47, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started by a System Process", + "query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe)", + "risk_score": 47, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json b/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json index e3afa73301b..6b985a2dd85 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft Build Engine Using an Alternate Name", - "query": "event.category:process and event.type:(start or process_started) and process.pe.original_file_name:MSBuild.exe and not process.name: MSBuild.exe", - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Using an Alternate Name", + "query": "event.category:process and event.type:(start or process_started) and process.pe.original_file_name:MSBuild.exe and not process.name: MSBuild.exe", + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json b/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json index 553df73baac..639394d086f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft Build Engine Loading Windows Credential Libraries", - "query": "event.category:process and event.type:change and (process.pe.original_file_name:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe", - "risk_score": 73, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Loading Windows Credential Libraries", + "query": "event.category:process and event.type:change and (process.pe.original_file_name:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe", + "risk_score": 73, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json b/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json index d0964fa0163..6dcb0c0ea7f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json @@ -1,59 +1,63 @@ { - "author": [ - "Elastic" - ], - "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft Build Engine Started an Unusual Process", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)", - "references": [ - "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" - ], - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/", - "subtechnique": [ - { - "id": "T1027.004", - "name": "Compile After Delivery", - "reference": "https://attack.mitre.org/techniques/T1027/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started an Unusual Process", + "query": "event.category:process and event.type:(start or process_started) and process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)", + "references": [ + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/", + "subtechnique": [ + { + "id": "T1027.004", + "name": "Compile After Delivery", + "reference": "https://attack.mitre.org/techniques/T1027/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json b/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json index 9ca177a8749..8c8ed5d099d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Process Injection by the Microsoft Build Engine", - "query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"", - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Process Injection by the Microsoft Build Engine", + "query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"", + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9d19ece6-c20e-481a-90c5-ccca596537de.json b/packages/security_detection_engine/kibana/security_rule/rule-9d19ece6-c20e-481a-90c5-ccca596537de.json index 4d2aeeb52ee..c160bfee33d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9d19ece6-c20e-481a-90c5-ccca596537de.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9d19ece6-c20e-481a-90c5-ccca596537de.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence.", - "false_positives": [ - "Trusted applications persisting via LaunchDaemons" - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "LaunchDaemon Creation or Modification and Immediate Loading", - "query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and file.path in (\"/System/Library/LaunchDaemons/*\", \" /Library/LaunchDaemons/*\")]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", - "references": [ - "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" - ], - "risk_score": 21, - "rule_id": "9d19ece6-c20e-481a-90c5-ccca596537de", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence.", + "false_positives": [ + "Trusted applications persisting via LaunchDaemons" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LaunchDaemon Creation or Modification and Immediate Loading", + "query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and file.path in (\"/System/Library/LaunchDaemons/*\", \" /Library/LaunchDaemons/*\")]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "risk_score": 21, + "rule_id": "9d19ece6-c20e-481a-90c5-ccca596537de", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "9d19ece6-c20e-481a-90c5-ccca596537de", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9d302377-d226-4e12-b54c-1906b5aec4f6.json b/packages/security_detection_engine/kibana/security_rule/rule-9d302377-d226-4e12-b54c-1906b5aec4f6.json index 558d0287566..b0952588fa8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9d302377-d226-4e12-b54c-1906b5aec4f6.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9d302377-d226-4e12-b54c-1906b5aec4f6.json @@ -1,27 +1,31 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", - "false_positives": [ - "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "linux_rare_metadata_process", - "name": "Unusual Linux Process Calling the Metadata Service", - "risk_score": 21, - "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 2 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "false_positives": [ + "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "linux_rare_metadata_process", + "name": "Unusual Linux Process Calling the Metadata Service", + "risk_score": 21, + "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 2 + }, + "id": "9d302377-d226-4e12-b54c-1906b5aec4f6", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-9f9a2a82-93a8-4b1a-8778-1780895626d4.json b/packages/security_detection_engine/kibana/security_rule/rule-9f9a2a82-93a8-4b1a-8778-1780895626d4.json index 07b54894aff..8553ee6b016 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-9f9a2a82-93a8-4b1a-8778-1780895626d4.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-9f9a2a82-93a8-4b1a-8778-1780895626d4.json @@ -1,48 +1,52 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", - "false_positives": [ - "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "File Permission Modification in Writable Directory", - "query": "event.category:process and event.type:(start or process_started) and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root", - "risk_score": 21, - "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1222", - "name": "File and Directory Permissions Modification", - "reference": "https://attack.mitre.org/techniques/T1222/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", + "false_positives": [ + "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "File Permission Modification in Writable Directory", + "query": "event.category:process and event.type:(start or process_started) and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root", + "risk_score": 21, + "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a00681e3-9ed6-447c-ab2c-be648821c622.json b/packages/security_detection_engine/kibana/security_rule/rule-a00681e3-9ed6-447c-ab2c-be648821c622.json index 2e4a5e9f75f..84d1760167b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a00681e3-9ed6-447c-ab2c-be648821c622.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a00681e3-9ed6-447c-ab2c-be648821c622.json @@ -1,56 +1,60 @@ { - "author": [ - "Nick Jones", - "Elastic" - ], - "description": "An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Access Secret in Secrets Manager", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue", - "references": [ - "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", - "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/" - ], - "risk_score": 73, - "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", - "severity": "high", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Data Protection" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1528", - "name": "Steal Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1528/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Nick Jones", + "Elastic" + ], + "description": "An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Access Secret in Secrets Manager", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue", + "references": [ + "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", + "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/" + ], + "risk_score": 73, + "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Data Protection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "a00681e3-9ed6-447c-ab2c-be648821c622", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a10d3d9d-0f65-48f1-8b25-af175e2594f5.json b/packages/security_detection_engine/kibana/security_rule/rule-a10d3d9d-0f65-48f1-8b25-af175e2594f5.json index a6d2310606a..b5ea2d0ab9a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a10d3d9d-0f65-48f1-8b25-af175e2594f5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a10d3d9d-0f65-48f1-8b25-af175e2594f5.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.", - "false_positives": [ - "Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Pub/Sub Topic Creation", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success", - "references": [ - "https://cloud.google.com/pubsub/docs/admin" - ], - "risk_score": 21, - "rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1530", - "name": "Data from Cloud Storage Object", - "reference": "https://attack.mitre.org/techniques/T1530/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.", + "false_positives": [ + "Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Pub/Sub Topic Creation", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success", + "references": [ + "https://cloud.google.com/pubsub/docs/admin" + ], + "risk_score": 21, + "rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage Object", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a13167f1-eec2-4015-9631-1fee60406dcf.json b/packages/security_detection_engine/kibana/security_rule/rule-a13167f1-eec2-4015-9631-1fee60406dcf.json index c30332f8db8..8d8571ff7e4 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a13167f1-eec2-4015-9631-1fee60406dcf.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a13167f1-eec2-4015-9631-1fee60406dcf.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "InstallUtil Process Making Network Connections", - "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n [network where process.name : \"installutil.exe\" and network.direction == \"outgoing\"]\n", - "risk_score": 21, - "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "Signed Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.004", - "name": "InstallUtil", - "reference": "https://attack.mitre.org/techniques/T1218/004/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "InstallUtil Process Making Network Connections", + "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n [network where process.name : \"installutil.exe\" and network.direction == \"outgoing\"]\n", + "risk_score": 21, + "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.004", + "name": "InstallUtil", + "reference": "https://attack.mitre.org/techniques/T1218/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "a13167f1-eec2-4015-9631-1fee60406dcf", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a1329140-8de3-4445-9f87-908fb6d824f4.json b/packages/security_detection_engine/kibana/security_rule/rule-a1329140-8de3-4445-9f87-908fb6d824f4.json index 915f922e3cc..e18c8e3b937 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a1329140-8de3-4445-9f87-908fb6d824f4.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a1329140-8de3-4445-9f87-908fb6d824f4.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "File Deletion via Shred", - "query": "event.category:process and event.type:(start or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")", - "risk_score": 21, - "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.004", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1070/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "File Deletion via Shred", + "query": "event.category:process and event.type:(start or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")", + "risk_score": 21, + "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "a1329140-8de3-4445-9f87-908fb6d824f4", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a17bcc91-297b-459b-b5ce-bc7460d8f82a.json b/packages/security_detection_engine/kibana/security_rule/rule-a17bcc91-297b-459b-b5ce-bc7460d8f82a.json index 676f6d21148..6f0575c8799 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a17bcc91-297b-459b-b5ce-bc7460d8f82a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a17bcc91-297b-459b-b5ce-bc7460d8f82a.json @@ -1,36 +1,40 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.", - "false_positives": [ - "Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Virtual Private Cloud Route Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.routes.delete and event.outcome:success", - "references": [ - "https://cloud.google.com/vpc/docs/routes", - "https://cloud.google.com/vpc/docs/using-routes" - ], - "risk_score": 47, - "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.", + "false_positives": [ + "Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Virtual Private Cloud Route Deletion", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.routes.delete and event.outcome:success", + "references": [ + "https://cloud.google.com/vpc/docs/routes", + "https://cloud.google.com/vpc/docs/using-routes" + ], + "risk_score": 47, + "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json b/packages/security_detection_engine/kibana/security_rule/rule-a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json index 391b046ddd6..fef7a8564e6 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json @@ -1,51 +1,55 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Reverse Shell Activity via Terminal", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n process.args:(\"*/dev/tcp/*\", \"*/dev/udp/*\", \"zsh/net/tcp\", \"zsh/net/udp\")\n", - "references": [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", - "https://github.com/WangYihang/Reverse-Shell-Manager", - "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/" - ], - "risk_score": 73, - "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Linux", - "macOS", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell Activity via Terminal", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n process.args:(\"*/dev/tcp/*\", \"*/dev/udp/*\", \"zsh/net/tcp\", \"zsh/net/udp\")\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/WangYihang/Reverse-Shell-Manager", + "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/" + ], + "risk_score": 73, + "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json b/packages/security_detection_engine/kibana/security_rule/rule-a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json index b41ae4736bc..d6d79177497 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Execution via local SxS Shared Module", - "note": "The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.", - "query": "file where file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection" - ], - "risk_score": 47, - "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1129", - "name": "Shared Modules", - "reference": "https://attack.mitre.org/techniques/T1129/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via local SxS Shared Module", + "note": "The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.", + "query": "file where file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection" + ], + "risk_score": 47, + "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1129", + "name": "Shared Modules", + "reference": "https://attack.mitre.org/techniques/T1129/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json b/packages/security_detection_engine/kibana/security_rule/rule-a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json index de8273dfe03..55b6c9d0331 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Assume Role Policy Update", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success", - "references": [ - "https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws" - ], - "risk_score": 21, - "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Assume Role Policy Update", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success", + "references": [ + "https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws" + ], + "risk_score": 21, + "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a605c51a-73ad-406d-bf3a-f24cc41d5c97.json b/packages/security_detection_engine/kibana/security_rule/rule-a605c51a-73ad-406d-bf3a-f24cc41d5c97.json index 55fb1bcf00b..049c96c33f5 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a605c51a-73ad-406d-bf3a-f24cc41d5c97.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a605c51a-73ad-406d-bf3a-f24cc41d5c97.json @@ -1,61 +1,65 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role.", - "false_positives": [ - "Sign-ins using PowerShell may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be signing into your environment. Sign-ins from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Active Directory PowerShell Sign-in", - "note": "The Azure Fleet Integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.signinlogs and azure.signinlogs.properties.app_display_name:\"Azure Active Directory PowerShell\" and azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)", - "references": [ - "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", - "https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide" - ], - "risk_score": 21, - "rule_id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.004", - "name": "Cloud Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role.", + "false_positives": [ + "Sign-ins using PowerShell may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be signing into your environment. Sign-ins from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Active Directory PowerShell Sign-in", + "note": "The Azure Fleet Integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.signinlogs and azure.signinlogs.properties.app_display_name:\"Azure Active Directory PowerShell\" and azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)", + "references": [ + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", + "https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide" + ], + "risk_score": 21, + "rule_id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a624863f-a70d-417f-a7d2-7a404638d47f.json b/packages/security_detection_engine/kibana/security_rule/rule-a624863f-a70d-417f-a7d2-7a404638d47f.json index 8d174c5987b..b53757e0a59 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a624863f-a70d-417f-a7d2-7a404638d47f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a624863f-a70d-417f-a7d2-7a404638d47f.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious MS Office Child Process", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\") and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\",\n \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \"regsvcs.exe\",\n \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\")\n", - "risk_score": 47, - "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious MS Office Child Process", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\") and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\",\n \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \"regsvcs.exe\",\n \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\")\n", + "risk_score": 47, + "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "a624863f-a70d-417f-a7d2-7a404638d47f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a6bf4dd4-743e-4da8-8c03-3ebd753a6c90.json b/packages/security_detection_engine/kibana/security_rule/rule-a6bf4dd4-743e-4da8-8c03-3ebd753a6c90.json index f5173e56a87..1782fdff18e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a6bf4dd4-743e-4da8-8c03-3ebd753a6c90.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a6bf4dd4-743e-4da8-8c03-3ebd753a6c90.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Emond Rules Creation or Modification", - "query": "file where event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\")\n", - "references": [ - "https://www.xorrior.com/emond-persistence/" - ], - "risk_score": 47, - "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.014", - "name": "Emond", - "reference": "https://attack.mitre.org/techniques/T1546/014/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Emond Rules Creation or Modification", + "query": "file where event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\")\n", + "references": [ + "https://www.xorrior.com/emond-persistence/" + ], + "risk_score": 47, + "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.014", + "name": "Emond", + "reference": "https://attack.mitre.org/techniques/T1546/014/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a7ccae7b-9d2c-44b2-a061-98e5946971fa.json b/packages/security_detection_engine/kibana/security_rule/rule-a7ccae7b-9d2c-44b2-a061-98e5946971fa.json index d6f444ba4e8..2bd26e232cb 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a7ccae7b-9d2c-44b2-a061-98e5946971fa.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a7ccae7b-9d2c-44b2-a061-98e5946971fa.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. .", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious PrintSpooler SPL File Created", - "note": "Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.", - "query": "event.category:file and not event.type:deletion and file.extension:(spl or SPL) and file.path:C\\:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\* and not process.name:(spoolsv.exe or printfilterpipelinesvc.exe or PrintIsolationHost.exe or splwow64.exe or msiexec.exe or poqexec.exe)", - "references": [ - "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" - ], - "risk_score": 73, - "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. .", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious PrintSpooler SPL File Created", + "note": "Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.", + "query": "event.category:file and not event.type:deletion and file.extension:(spl or SPL) and file.path:C\\:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\* and not process.name:(spoolsv.exe or printfilterpipelinesvc.exe or PrintIsolationHost.exe or splwow64.exe or msiexec.exe or poqexec.exe)", + "references": [ + "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" + ], + "risk_score": 73, + "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json b/packages/security_detection_engine/kibana/security_rule/rule-a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json index 5d8d06e6e42..f70207d1401 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Credential Acquisition via Registry Hive Dumping", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", - "references": [ - "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8" - ], - "risk_score": 73, - "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Credential Acquisition via Registry Hive Dumping", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", + "references": [ + "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8" + ], + "risk_score": 73, + "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e.json b/packages/security_detection_engine/kibana/security_rule/rule-a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e.json index 8ccd8383524..1d30d794098 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e.json @@ -1,29 +1,33 @@ { - "author": [ - "Elastic" - ], - "description": "A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed", - "false_positives": [ - "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." - ], - "index": [ - "apm-*-transaction*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Web Application Suspicious Activity: POST Request Declined", - "query": "http.response.status_code:403 and http.request.method:post", - "references": [ - "https://en.wikipedia.org/wiki/HTTP_403" - ], - "risk_score": 47, - "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", - "severity": "medium", - "tags": [ - "Elastic", - "APM" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed", + "false_positives": [ + "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." + ], + "index": [ + "apm-*-transaction*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Web Application Suspicious Activity: POST Request Declined", + "query": "http.response.status_code:403 and http.request.method:post", + "references": [ + "https://en.wikipedia.org/wiki/HTTP_403" + ], + "risk_score": 47, + "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", + "severity": "medium", + "tags": [ + "Elastic", + "APM" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a9198571-b135-4a76-b055-e3e5a476fd83.json b/packages/security_detection_engine/kibana/security_rule/rule-a9198571-b135-4a76-b055-e3e5a476fd83.json index fba63166427..91f203eeb83 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a9198571-b135-4a76-b055-e3e5a476fd83.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a9198571-b135-4a76-b055-e3e5a476fd83.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", - "false_positives": [ - "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Hex Encoding/Decoding Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd)", - "risk_score": 21, - "rule_id": "a9198571-b135-4a76-b055-e3e5a476fd83", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", + "false_positives": [ + "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Hex Encoding/Decoding Activity", + "query": "event.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd)", + "risk_score": 21, + "rule_id": "a9198571-b135-4a76-b055-e3e5a476fd83", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" }, - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "technique": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + }, + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "a9198571-b135-4a76-b055-e3e5a476fd83", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2.json b/packages/security_detection_engine/kibana/security_rule/rule-a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2.json index ed28c21f85d..12f70c13cab 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.", - "false_positives": [ - "Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", - "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide" - ], - "risk_score": 47, - "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.", + "false_positives": [ + "Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Safe Link Policy Disabled", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide" + ], + "risk_score": 47, + "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73.json b/packages/security_detection_engine/kibana/security_rule/rule-a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73.json index e1bc9d3a08d..4abe3189e7f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73.json @@ -1,34 +1,38 @@ { - "author": [ - "Elastic" - ], - "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", - "false_positives": [ - "Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Password Policy Modified", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", - "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and gsuite.admin.setting.name:( \"Password Management - Enforce strong password\" or \"Password Management - Password reset frequency\" or \"Password Management - Enable password reuse\" or \"Password Management - Enforce password policy at next login\" or \"Password Management - Minimum password length\" or \"Password Management - Maximum password length\" )", - "risk_score": 47, - "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", + "false_positives": [ + "Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Password Policy Modified", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and gsuite.admin.setting.name:( \"Password Management - Enforce strong password\" or \"Password Management - Password reset frequency\" or \"Password Management - Enable password reuse\" or \"Password Management - Enforce password policy at next login\" or \"Password Management - Minimum password length\" or \"Password Management - Maximum password length\" )", + "risk_score": 47, + "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a9b05c3b-b304-4bf9-970d-acdfaef2944c.json b/packages/security_detection_engine/kibana/security_rule/rule-a9b05c3b-b304-4bf9-970d-acdfaef2944c.json index cc649697774..67e1cb42954 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a9b05c3b-b304-4bf9-970d-acdfaef2944c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a9b05c3b-b304-4bf9-970d-acdfaef2944c.json @@ -1,57 +1,61 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via Hidden Run Key Detected", - "query": "/* Registry Path ends with backslash */\nregistry where /* length(registry.data.strings) \u003e 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", - "references": [ - "https://github.com/outflanknl/SharpHide", - "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf" - ], - "risk_score": 73, - "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Hidden Run Key Detected", + "query": "/* Registry Path ends with backslash */\nregistry where /* length(registry.data.strings) \u003e 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", + "references": [ + "https://github.com/outflanknl/SharpHide", + "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf" + ], + "risk_score": 73, + "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7.json b/packages/security_detection_engine/kibana/security_rule/rule-a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7.json index 691a1c25d9f..7be527070cb 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7.json @@ -1,43 +1,47 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.", - "false_positives": [ - "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "IPSEC NAT Traversal Port Activity", - "query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500", - "risk_score": 21, - "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.", + "false_positives": [ + "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "IPSEC NAT Traversal Port Activity", + "query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500", + "risk_score": 21, + "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-aa8007f0-d1df-49ef-8520-407857594827.json b/packages/security_detection_engine/kibana/security_rule/rule-aa8007f0-d1df-49ef-8520-407857594827.json index b43963541d6..9605efb00a7 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-aa8007f0-d1df-49ef-8520-407857594827.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-aa8007f0-d1df-49ef-8520-407857594827.json @@ -1,67 +1,71 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.", - "false_positives": [ - "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP IAM Custom Role Creation", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateRole and event.outcome:success", - "references": [ - "https://cloud.google.com/iam/docs/understanding-custom-roles" - ], - "risk_score": 47, - "rule_id": "aa8007f0-d1df-49ef-8520-407857594827", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.", + "false_positives": [ + "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP IAM Custom Role Creation", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateRole and event.outcome:success", + "references": [ + "https://cloud.google.com/iam/docs/understanding-custom-roles" + ], + "risk_score": 47, + "rule_id": "aa8007f0-d1df-49ef-8520-407857594827", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "aa8007f0-d1df-49ef-8520-407857594827", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-aa895aea-b69c-4411-b110-8d7599634b30.json b/packages/security_detection_engine/kibana/security_rule/rule-aa895aea-b69c-4411-b110-8d7599634b30.json index 4b2487b8247..d7e23f90ace 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-aa895aea-b69c-4411-b110-8d7599634b30.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-aa895aea-b69c-4411-b110-8d7599634b30.json @@ -1,48 +1,52 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "System Log File Deletion", - "query": "file where event.type == \"deletion\" and \n file.path : \n (\n \"/var/run/utmp\", \n \"/var/log/wtmp\", \n \"/var/log/btmp\", \n \"/var/log/lastlog\", \n \"/var/log/faillog\",\n \"/var/log/syslog\", \n \"/var/log/messages\", \n \"/var/log/secure\", \n \"/var/log/auth.log\"\n )\n", - "references": [ - "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html" - ], - "risk_score": 47, - "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Log File Deletion", + "query": "file where event.type == \"deletion\" and \n file.path : \n (\n \"/var/run/utmp\", \n \"/var/log/wtmp\", \n \"/var/log/btmp\", \n \"/var/log/lastlog\", \n \"/var/log/faillog\",\n \"/var/log/syslog\", \n \"/var/log/messages\", \n \"/var/log/secure\", \n \"/var/log/auth.log\"\n )\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html" + ], + "risk_score": 47, + "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "aa895aea-b69c-4411-b110-8d7599634b30", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-aa9a274d-6b53-424d-ac5e-cb8ca4251650.json b/packages/security_detection_engine/kibana/security_rule/rule-aa9a274d-6b53-424d-ac5e-cb8ca4251650.json index 436d31f474a..bfebf72957a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-aa9a274d-6b53-424d-ac5e-cb8ca4251650.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-aa9a274d-6b53-424d-ac5e-cb8ca4251650.json @@ -1,45 +1,49 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remotely Started Services via RPC", - "query": "sequence with maxspan=1s\n [network where process.name : \"services.exe\" and\n network.direction == \"incoming\" and network.transport == \"tcp\" and \n source.port \u003e= 49152 and destination.port \u003e= 49152 and source.address not in (\"127.0.0.1\", \"::1\")\n ] by host.id, process.entity_id\n\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"services.exe\" and \n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and \n not (process.name : \"msiexec.exe\" and process.args : \"/V\")\n \n /* uncomment if psexec is noisy in your environment */\n /* and not process.name : \"PSEXESVC.exe\" */\n ] by host.id, process.parent.entity_id\n", - "risk_score": 47, - "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remotely Started Services via RPC", + "query": "sequence with maxspan=1s\n [network where process.name : \"services.exe\" and\n network.direction == \"incoming\" and network.transport == \"tcp\" and \n source.port \u003e= 49152 and destination.port \u003e= 49152 and source.address not in (\"127.0.0.1\", \"::1\")\n ] by host.id, process.entity_id\n\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"services.exe\" and \n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and \n not (process.name : \"msiexec.exe\" and process.args : \"/V\")\n \n /* uncomment if psexec is noisy in your environment */\n /* and not process.name : \"PSEXESVC.exe\" */\n ] by host.id, process.parent.entity_id\n", + "risk_score": 47, + "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ab75c24b-2502-43a0-bf7c-e60e662c811e.json b/packages/security_detection_engine/kibana/security_rule/rule-ab75c24b-2502-43a0-bf7c-e60e662c811e.json index 5a2ed45b74a..b145466445f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ab75c24b-2502-43a0-bf7c-e60e662c811e.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ab75c24b-2502-43a0-bf7c-e60e662c811e.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote Execution via File Shares", - "query": "sequence with maxspan=1m\n [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n", - "references": [ - "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html" - ], - "risk_score": 47, - "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.002", - "name": "SMB/Windows Admin Shares", - "reference": "https://attack.mitre.org/techniques/T1021/002/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Execution via File Shares", + "query": "sequence with maxspan=1m\n [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n", + "references": [ + "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html" + ], + "risk_score": 47, + "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-abae61a8-c560-4dbd-acca-1e1438bff36b.json b/packages/security_detection_engine/kibana/security_rule/rule-abae61a8-c560-4dbd-acca-1e1438bff36b.json index 63219b4b4e3..60904de4fef 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-abae61a8-c560-4dbd-acca-1e1438bff36b.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-abae61a8-c560-4dbd-acca-1e1438bff36b.json @@ -1,27 +1,31 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", - "false_positives": [ - "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "windows_rare_metadata_process", - "name": "Unusual Windows Process Calling the Metadata Service", - "risk_score": 21, - "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 2 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "false_positives": [ + "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "windows_rare_metadata_process", + "name": "Unusual Windows Process Calling the Metadata Service", + "risk_score": 21, + "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 2 + }, + "id": "abae61a8-c560-4dbd-acca-1e1438bff36b", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ac412404-57a5-476f-858f-4e8fbb4f48d8.json b/packages/security_detection_engine/kibana/security_rule/rule-ac412404-57a5-476f-858f-4e8fbb4f48d8.json index 816955649b7..7c5969cef4c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ac412404-57a5-476f-858f-4e8fbb4f48d8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ac412404-57a5-476f-858f-4e8fbb4f48d8.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Persistence via Login Hook", - "note": "Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", - "query": "event.category:\"file\" and not event.type:\"deletion\" and file.name:\"com.apple.loginwindow.plist\" and process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor))", - "references": [ - "https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js" - ], - "risk_score": 47, - "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.011", - "name": "Plist Modification", - "reference": "https://attack.mitre.org/techniques/T1547/011/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence via Login Hook", + "note": "Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", + "query": "event.category:\"file\" and not event.type:\"deletion\" and file.name:\"com.apple.loginwindow.plist\" and process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor))", + "references": [ + "https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js" + ], + "risk_score": 47, + "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.011", + "name": "Plist Modification", + "reference": "https://attack.mitre.org/techniques/T1547/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ac5012b8-8da8-440b-aaaf-aedafdea2dff.json b/packages/security_detection_engine/kibana/security_rule/rule-ac5012b8-8da8-440b-aaaf-aedafdea2dff.json index 9efae4e57bd..305a5acf4ce 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ac5012b8-8da8-440b-aaaf-aedafdea2dff.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ac5012b8-8da8-440b-aaaf-aedafdea2dff.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and parent process details as well.", - "false_positives": [ - "Custom Windows error reporting debugger or applications restarted by WerFault after a crash." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious WerFault Child Process", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:WerFault.exe and not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe or LogiOptionsMgr.exe) and not process.args:(\"/LOADSAVEDWINDOWS\" or \"/restore\" or RestartByRestartManager* or \"--restarted\" or createdump or dontsend or /watson)", - "references": [ - "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", - "https://blog.menasec.net/2021/01/" - ], - "risk_score": 47, - "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and parent process details as well.", + "false_positives": [ + "Custom Windows error reporting debugger or applications restarted by WerFault after a crash." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious WerFault Child Process", + "query": "event.category:process and event.type:(start or process_started) and process.parent.name:WerFault.exe and not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe or LogiOptionsMgr.exe) and not process.args:(\"/LOADSAVEDWINDOWS\" or \"/restore\" or RestartByRestartManager* or \"--restarted\" or createdump or dontsend or /watson)", + "references": [ + "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", + "https://blog.menasec.net/2021/01/" + ], + "risk_score": 47, + "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json b/packages/security_detection_engine/kibana/security_rule/rule-ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json index 4ff010027b3..84ab2ada400 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json @@ -1,30 +1,34 @@ { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data.", - "false_positives": [ - "New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used." - ], - "from": "now-60m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "rare_method_for_a_username", - "name": "Unusual AWS Command for a User", - "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation:\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "ML" - ], - "type": "machine_learning", - "version": 3 + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data.", + "false_positives": [ + "New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used." + ], + "from": "now-60m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_method_for_a_username", + "name": "Unusual AWS Command for a User", + "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation:\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "ML" + ], + "type": "machine_learning", + "version": 3 + }, + "id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-acbc8bb9-2486-49a8-8779-45fb5f9a93ee.json b/packages/security_detection_engine/kibana/security_rule/rule-acbc8bb9-2486-49a8-8779-45fb5f9a93ee.json index 48aad4e6539..12a3e5ec8fb 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-acbc8bb9-2486-49a8-8779-45fb5f9a93ee.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-acbc8bb9-2486-49a8-8779-45fb5f9a93ee.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target\u2019s data.", - "false_positives": [ - "Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", - "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS", - "references": [ - "https://developers.google.com/admin-sdk/directory/v1/guides/delegation" - ], - "risk_score": 47, - "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target\u2019s data.", + "false_positives": [ + "Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS", + "references": [ + "https://developers.google.com/admin-sdk/directory/v1/guides/delegation" + ], + "risk_score": 47, + "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-acd611f3-2b93-47b3-a0a3-7723bcc46f6d.json b/packages/security_detection_engine/kibana/security_rule/rule-acd611f3-2b93-47b3-a0a3-7723bcc46f6d.json index 0c5a7cb4ea2..572d117fa35 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-acd611f3-2b93-47b3-a0a3-7723bcc46f6d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-acd611f3-2b93-47b3-a0a3-7723bcc46f6d.json @@ -1,45 +1,49 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Command and Control via Internet Explorer", - "query": "sequence by host.id, process.entity_id with maxspan = 1s\n [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\"\n )\n ]\n", - "risk_score": 47, - "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Command and Control via Internet Explorer", + "query": "sequence by host.id, process.entity_id with maxspan = 1s\n [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\"\n )\n ]\n", + "risk_score": 47, + "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ace1e989-a541-44df-93a8-a8b0591b63c0.json b/packages/security_detection_engine/kibana/security_rule/rule-ace1e989-a541-44df-93a8-a8b0591b63c0.json index 4efe5541aa6..c6d6a00ab4e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ace1e989-a541-44df-93a8-a8b0591b63c0.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ace1e989-a541-44df-93a8-a8b0591b63c0.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential SSH Brute Force Detected", - "query": "event.category:process and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd", - "references": [ - "https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/" - ], - "risk_score": 47, - "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "threshold": { - "field": [ - "host.id" + "attributes": { + "author": [ + "Elastic" ], - "value": 20 + "description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential SSH Brute Force Detected", + "query": "event.category:process and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd", + "references": [ + "https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/" + ], + "risk_score": 47, + "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "host.id" + ], + "value": 20 + }, + "type": "threshold", + "version": 2 }, - "type": "threshold", - "version": 2 + "id": "ace1e989-a541-44df-93a8-a8b0591b63c0", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-acf738b5-b5b2-4acc-bad9-1e18ee234f40.json b/packages/security_detection_engine/kibana/security_rule/rule-acf738b5-b5b2-4acc-bad9-1e18ee234f40.json index 06485c5493a..22f9d245d2e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-acf738b5-b5b2-4acc-bad9-1e18ee234f40.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-acf738b5-b5b2-4acc-bad9-1e18ee234f40.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious Managed Code Hosting Process", - "query": "event.category:file and not event.type:deletion and file.name:(wscript.exe.log or mshta.exe.log or wscript.exe.log or wmic.exe.log or svchost.exe.log or dllhost.exe.log or cmstp.exe.log or regsvr32.exe.log)", - "references": [ - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html" - ], - "risk_score": 73, - "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Managed Code Hosting Process", + "query": "event.category:file and not event.type:deletion and file.name:(wscript.exe.log or mshta.exe.log or wscript.exe.log or wmic.exe.log or svchost.exe.log or dllhost.exe.log or cmstp.exe.log or regsvr32.exe.log)", + "references": [ + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html" + ], + "risk_score": 73, + "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3.json b/packages/security_detection_engine/kibana/security_rule/rule-ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3.json index f6e43f4bf8e..08f9b0616aa 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3.json @@ -1,43 +1,47 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects events that may describe network events of proxy use to the Internet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments will use an internal IP address for a proxy server. It can also be used to circumvent network controls and detection mechanisms.", - "false_positives": [ - "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to allowlists. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Proxy Port Activity to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1080 or 3128 or 8080) or event.dataset:zeek.socks) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 47, - "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects events that may describe network events of proxy use to the Internet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments will use an internal IP address for a proxy server. It can also be used to circumvent network controls and detection mechanisms.", + "false_positives": [ + "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to allowlists. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Proxy Port Activity to the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1080 or 3128 or 8080) or event.dataset:zeek.socks) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", + "risk_score": 47, + "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ad3f2807-2b3e-47d7-b282-f84acbbe14be.json b/packages/security_detection_engine/kibana/security_rule/rule-ad3f2807-2b3e-47d7-b282-f84acbbe14be.json index 45a914703f8..b17a17dcd2d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ad3f2807-2b3e-47d7-b282-f84acbbe14be.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ad3f2807-2b3e-47d7-b282-f84acbbe14be.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", - "false_positives": [ - "Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Custom Admin Role Created", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", - "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:CREATE_ROLE", - "references": [ - "https://support.google.com/a/answer/2406043?hl=en" - ], - "risk_score": 47, - "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", + "false_positives": [ + "Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Custom Admin Role Created", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:CREATE_ROLE", + "references": [ + "https://support.google.com/a/answer/2406043?hl=en" + ], + "risk_score": 47, + "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ad88231f-e2ab-491c-8fc6-64746da26cfe.json b/packages/security_detection_engine/kibana/security_rule/rule-ad88231f-e2ab-491c-8fc6-64746da26cfe.json index 7653fa43923..fd005d602be 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ad88231f-e2ab-491c-8fc6-64746da26cfe.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ad88231f-e2ab-491c-8fc6-64746da26cfe.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kerberos Cached Credentials Dumping", - "query": "event.category:process and event.type:(start or process_started) and process.name:kcc and process.args:copy_cred_cache", - "references": [ - "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py", - "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html" - ], - "risk_score": 73, - "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kerberos Cached Credentials Dumping", + "query": "event.category:process and event.type:(start or process_started) and process.name:kcc and process.args:copy_cred_cache", + "references": [ + "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py", + "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html" + ], + "risk_score": 73, + "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "ad88231f-e2ab-491c-8fc6-64746da26cfe", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-adb961e0-cb74-42a0-af9e-29fc41f88f5f.json b/packages/security_detection_engine/kibana/security_rule/rule-adb961e0-cb74-42a0-af9e-29fc41f88f5f.json index c04ba0463fb..4dd1249e9cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-adb961e0-cb74-42a0-af9e-29fc41f88f5f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-adb961e0-cb74-42a0-af9e-29fc41f88f5f.json @@ -1,34 +1,38 @@ { - "author": [ - "Elastic" - ], - "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", - "false_positives": [ - "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Netcat Network Activity", - "query": "sequence by process.entity_id\n [process where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\") and\n event.type == \"start\"]\n [network where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", - "references": [ - "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", - "https://en.wikipedia.org/wiki/Netcat" - ], - "risk_score": 47, - "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection" - ], - "type": "eql", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", + "false_positives": [ + "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Netcat Network Activity", + "query": "sequence by process.entity_id\n [process where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\") and\n event.type == \"start\"]\n [network where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", + "references": [ + "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", + "https://en.wikipedia.org/wiki/Netcat" + ], + "risk_score": 47, + "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection" + ], + "type": "eql", + "version": 6 + }, + "id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-afcce5ad-65de-4ed2-8516-5e093d3ac99a.json b/packages/security_detection_engine/kibana/security_rule/rule-afcce5ad-65de-4ed2-8516-5e093d3ac99a.json index 5a9e8d9168d..8845d6974ce 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-afcce5ad-65de-4ed2-8516-5e093d3ac99a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-afcce5ad-65de-4ed2-8516-5e093d3ac99a.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.", - "false_positives": [ - "Legitimate scheduled tasks may be created during installation of new software." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Local Scheduled Task Commands", - "query": "event.category:process and event.type:(start or process_started) and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)", - "risk_score": 21, - "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Local Scheduled Task Commands", + "query": "event.category:process and event.type:(start or process_started) and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)", + "risk_score": 21, + "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b0046934-486e-462f-9487-0d4cf9e429c6.json b/packages/security_detection_engine/kibana/security_rule/rule-b0046934-486e-462f-9487-0d4cf9e429c6.json index d3f5ad5644e..77b56703340 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b0046934-486e-462f-9487-0d4cf9e429c6.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b0046934-486e-462f-9487-0d4cf9e429c6.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "max_signals": 33, - "name": "Timestomping using Touch Command", - "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\")\n", - "risk_score": 47, - "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "macOS", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.006", - "name": "Timestomp", - "reference": "https://attack.mitre.org/techniques/T1070/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Timestomping using Touch Command", + "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\")\n", + "risk_score": 47, + "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.006", + "name": "Timestomp", + "reference": "https://attack.mitre.org/techniques/T1070/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "b0046934-486e-462f-9487-0d4cf9e429c6", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b00bcd89-000c-4425-b94c-716ef67762f6.json b/packages/security_detection_engine/kibana/security_rule/rule-b00bcd89-000c-4425-b94c-716ef67762f6.json index d45538598a3..079fa673894 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b00bcd89-000c-4425-b94c-716ef67762f6.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b00bcd89-000c-4425-b94c-716ef67762f6.json @@ -1,48 +1,52 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple\u2019s privacy framework (TCC).", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "TCC Bypass via Mounted APFS Snapshot Access", - "query": "event.category : process and event.type : (start or process_started) and process.name : mount_apfs and process.args : (/System/Volumes/Data and noowners)", - "references": [ - "https://theevilbit.github.io/posts/cve_2020_9771/" - ], - "risk_score": 73, - "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1006", - "name": "Direct Volume Access", - "reference": "https://attack.mitre.org/techniques/T1006/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple\u2019s privacy framework (TCC).", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "TCC Bypass via Mounted APFS Snapshot Access", + "query": "event.category : process and event.type : (start or process_started) and process.name : mount_apfs and process.args : (/System/Volumes/Data and noowners)", + "references": [ + "https://theevilbit.github.io/posts/cve_2020_9771/" + ], + "risk_score": 73, + "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1006", + "name": "Direct Volume Access", + "reference": "https://attack.mitre.org/techniques/T1006/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "b00bcd89-000c-4425-b94c-716ef67762f6", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8.json b/packages/security_detection_engine/kibana/security_rule/rule-b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8.json index 9de675d43c6..fd2c63c0c44 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8.json @@ -1,60 +1,64 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or execution of a cron job. Adversaries may abuse cron jobs to perform task scheduling for initial or recurring execution of malicious code.", - "false_positives": [ - "Legitimate software or scripts using cron jobs for recurring tasks." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Persistence via Cron Job", - "query": "event.category:process and event.type:(start or process_started or info) and not user.name:root and ((process.name:crontab and not process.args:(\"-l\" or \"-r\" or \"-e\" or \"-help\" or \"-h\")) or (process.parent.name:cron and not process.name:\"running job\" and not process.executable:(/Applications/Docker.app/Contents/Resources/bin/docker or /usr/bin/killall or /usr/sbin/sendmail or /usr/bin/env or /usr/bin/timeshift or /bin/rm)))", - "references": [ - "https://archive.f-secure.com/weblog/archives/00002576.html", - "https://ss64.com/osx/crontab.html" - ], - "risk_score": 21, - "rule_id": "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.003", - "name": "Cron", - "reference": "https://attack.mitre.org/techniques/T1053/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or execution of a cron job. Adversaries may abuse cron jobs to perform task scheduling for initial or recurring execution of malicious code.", + "false_positives": [ + "Legitimate software or scripts using cron jobs for recurring tasks." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence via Cron Job", + "query": "event.category:process and event.type:(start or process_started or info) and not user.name:root and ((process.name:crontab and not process.args:(\"-l\" or \"-r\" or \"-e\" or \"-help\" or \"-h\")) or (process.parent.name:cron and not process.name:\"running job\" and not process.executable:(/Applications/Docker.app/Contents/Resources/bin/docker or /usr/bin/killall or /usr/sbin/sendmail or /usr/bin/env or /usr/bin/timeshift or /bin/rm)))", + "references": [ + "https://archive.f-secure.com/weblog/archives/00002576.html", + "https://ss64.com/osx/crontab.html" + ], + "risk_score": 21, + "rule_id": "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json b/packages/security_detection_engine/kibana/security_rule/rule-b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json index a1549e5cf14..661717fd395 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Remote File Copy via TeamViewer", - "query": "event.category:file and event.type:creation and process.name:TeamViewer.exe and file.extension:(exe or dll or scr or com or bat or ps1 or vbs or vbe or js or wsh or hta)", - "references": [ - "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" - ], - "risk_score": 47, - "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Remote File Copy via TeamViewer", + "query": "event.category:file and event.type:creation and process.name:TeamViewer.exe and file.extension:(exe or dll or scr or com or bat or ps1 or vbs or vbe or js or wsh or hta)", + "references": [ + "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" + ], + "risk_score": 47, + "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b29ee2be-bf99-446c-ab1a-2dc0183394b8.json b/packages/security_detection_engine/kibana/security_rule/rule-b29ee2be-bf99-446c-ab1a-2dc0183394b8.json index 2f55e8f774b..d486288a2ee 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b29ee2be-bf99-446c-ab1a-2dc0183394b8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b29ee2be-bf99-446c-ab1a-2dc0183394b8.json @@ -1,61 +1,65 @@ { - "author": [ - "Elastic" - ], - "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Network Connection via Compiled HTML File", - "query": "sequence by process.entity_id\n [process where process.name : \"hh.exe\" and event.type == \"start\"]\n [network where process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", - "risk_score": 21, - "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Compiled HTML File", + "query": "sequence by process.entity_id\n [process where process.name : \"hh.exe\" and event.type == \"start\"]\n [network where process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", + "risk_score": 21, + "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "Signed Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.001", - "name": "Compiled HTML File", - "reference": "https://attack.mitre.org/techniques/T1218/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 7 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.001", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1218/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 7 + }, + "id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b347b919-665f-4aac-b9e8-68369bf2340c.json b/packages/security_detection_engine/kibana/security_rule/rule-b347b919-665f-4aac-b9e8-68369bf2340c.json index 2ee92e769a9..3527dd7ae84 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b347b919-665f-4aac-b9e8-68369bf2340c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b347b919-665f-4aac-b9e8-68369bf2340c.json @@ -1,31 +1,35 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", - "false_positives": [ - "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "linux_anomalous_user_name_ecs", - "name": "Unusual Linux Username", - "note": "### Investigating an Unusual Linux User ###\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", + "false_positives": [ + "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "linux_anomalous_user_name_ecs", + "name": "Unusual Linux Username", + "note": "### Investigating an Unusual Linux User ###\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "b347b919-665f-4aac-b9e8-68369bf2340c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b41a13c6-ba45-4bab-a534-df53d0cfed6a.json b/packages/security_detection_engine/kibana/security_rule/rule-b41a13c6-ba45-4bab-a534-df53d0cfed6a.json index 5140a1fc31d..845da4d35a3 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b41a13c6-ba45-4bab-a534-df53d0cfed6a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b41a13c6-ba45-4bab-a534-df53d0cfed6a.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Endpoint Security Parent Process", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\", \n \"C:\\\\Windows\\\\System32\\\\services.exe\", \n \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\", \n \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n", - "risk_score": 47, - "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Endpoint Security Parent Process", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\", \n \"C:\\\\Windows\\\\System32\\\\services.exe\", \n \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\", \n \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n", + "risk_score": 47, + "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b4449455-f986-4b5a-82ed-e36b129331f7.json b/packages/security_detection_engine/kibana/security_rule/rule-b4449455-f986-4b5a-82ed-e36b129331f7.json index 9045cc8956f..b5502225946 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b4449455-f986-4b5a-82ed-e36b129331f7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b4449455-f986-4b5a-82ed-e36b129331f7.json @@ -1,32 +1,36 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Persistence via Atom Init Script Modification", - "query": "event.category:\"file\" and not event.type:\"deletion\" and file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root", - "references": [ - "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js", - "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/" - ], - "risk_score": 21, - "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence via Atom Init Script Modification", + "query": "event.category:\"file\" and not event.type:\"deletion\" and file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root", + "references": [ + "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js", + "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/" + ], + "risk_score": 21, + "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "b4449455-f986-4b5a-82ed-e36b129331f7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json b/packages/security_detection_engine/kibana/security_rule/rule-b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json index 831fe66b53e..73e6d026186 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json @@ -1,37 +1,41 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Delete an Okta Policy", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 47, - "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", - "severity": "medium", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Policy", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 47, + "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json b/packages/security_detection_engine/kibana/security_rule/rule-b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json index a2ffec1395b..bdb60c67ae9 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Volume Shadow Copy Deletion via VssAdmin", - "query": "event.category:process and event.type:(start or process_started) and process.name:vssadmin.exe and process.args:(delete and shadows)", - "risk_score": 73, - "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1490", - "name": "Inhibit System Recovery", - "reference": "https://attack.mitre.org/techniques/T1490/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Volume Shadow Copy Deletion via VssAdmin", + "query": "event.category:process and event.type:(start or process_started) and process.name:vssadmin.exe and process.args:(delete and shadows)", + "risk_score": 73, + "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b64b183e-1a76-422d-9179-7b389513e74d.json b/packages/security_detection_engine/kibana/security_rule/rule-b64b183e-1a76-422d-9179-7b389513e74d.json index 0d27a9c7b31..61f05ab6ad2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b64b183e-1a76-422d-9179-7b389513e74d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b64b183e-1a76-422d-9179-7b389513e74d.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Windows Script Interpreter Executing Process via WMI", - "query": "sequence by host.id with maxspan = 5s\n [library where dll.name : \"wmiutils.dll\" and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", - "risk_score": 47, - "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Script Interpreter Executing Process via WMI", + "query": "sequence by host.id with maxspan = 5s\n [library where dll.name : \"wmiutils.dll\" and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", + "risk_score": 47, + "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "b64b183e-1a76-422d-9179-7b389513e74d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b6dce542-2b75-4ffb-b7d6-38787298ba9d.json b/packages/security_detection_engine/kibana/security_rule/rule-b6dce542-2b75-4ffb-b7d6-38787298ba9d.json index dea3bd42ead..8ce3e6bf229 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b6dce542-2b75-4ffb-b7d6-38787298ba9d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b6dce542-2b75-4ffb-b7d6-38787298ba9d.json @@ -1,68 +1,72 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.", - "false_positives": [ - "Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Event Hub Authorization Rule Created or Updated", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)", - "references": [ - "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature" - ], - "risk_score": 47, - "rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.", + "false_positives": [ + "Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Event Hub Authorization Rule Created or Updated", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)", + "references": [ + "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature" + ], + "risk_score": 47, + "rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage Object", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] }, - "technique": [ - { - "id": "T1530", - "name": "Data from Cloud Storage Object", - "reference": "https://attack.mitre.org/techniques/T1530/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1537", - "name": "Transfer Data to Cloud Account", - "reference": "https://attack.mitre.org/techniques/T1537/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b719a170-3bdb-4141-b0e3-13e3cf627bfe.json b/packages/security_detection_engine/kibana/security_rule/rule-b719a170-3bdb-4141-b0e3-13e3cf627bfe.json index 957b48b1928..ba15c5c91c0 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b719a170-3bdb-4141-b0e3-13e3cf627bfe.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b719a170-3bdb-4141-b0e3-13e3cf627bfe.json @@ -1,37 +1,41 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", - "false_positives": [ - "If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Deactivate an Okta Policy", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 21, - "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", - "severity": "low", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", + "false_positives": [ + "If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate an Okta Policy", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 21, + "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b8075894-0b62-46e5-977c-31275da34419.json b/packages/security_detection_engine/kibana/security_rule/rule-b8075894-0b62-46e5-977c-31275da34419.json index 7d10655e732..0e61d5c1ace 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b8075894-0b62-46e5-977c-31275da34419.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b8075894-0b62-46e5-977c-31275da34419.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.", - "false_positives": [ - "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Administrator Privileges Assigned to an Okta Group", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:group.privilege.grant", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 47, - "rule_id": "b8075894-0b62-46e5-977c-31275da34419", - "severity": "medium", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.", + "false_positives": [ + "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Administrator Privileges Assigned to an Okta Group", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:group.privilege.grant", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 47, + "rule_id": "b8075894-0b62-46e5-977c-31275da34419", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "b8075894-0b62-46e5-977c-31275da34419", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b83a7e96-2eb3-4edf-8346-427b6858d3bd.json b/packages/security_detection_engine/kibana/security_rule/rule-b83a7e96-2eb3-4edf-8346-427b6858d3bd.json index 61ec4e673d9..7b8ec1bb1c4 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b83a7e96-2eb3-4edf-8346-427b6858d3bd.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b83a7e96-2eb3-4edf-8346-427b6858d3bd.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Creation or Modification of Domain Backup DPAPI private key", - "note": "### Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.", - "query": "event.category:file and not event.type:deletion and file.name:(ntds_capi_*.pfx or ntds_capi_*.pvk)", - "references": [ - "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", - "https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/" - ], - "risk_score": 73, - "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/", - "subtechnique": [ - { - "id": "T1552.004", - "name": "Private Keys", - "reference": "https://attack.mitre.org/techniques/T1552/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Creation or Modification of Domain Backup DPAPI private key", + "note": "### Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.", + "query": "event.category:file and not event.type:deletion and file.name:(ntds_capi_*.pfx or ntds_capi_*.pvk)", + "references": [ + "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", + "https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/" + ], + "risk_score": 73, + "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.004", + "name": "Private Keys", + "reference": "https://attack.mitre.org/techniques/T1552/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b86afe07-0d98-4738-b15d-8d7465f95ff5.json b/packages/security_detection_engine/kibana/security_rule/rule-b86afe07-0d98-4738-b15d-8d7465f95ff5.json index f4a1a4a8d85..f9831738cad 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b86afe07-0d98-4738-b15d-8d7465f95ff5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b86afe07-0d98-4738-b15d-8d7465f95ff5.json @@ -1,45 +1,49 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Network Connection via MsXsl", - "query": "sequence by process.entity_id\n [process where process.name : \"msxsl.exe\" and event.type == \"start\"]\n [network where process.name : \"msxsl.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", - "risk_score": 21, - "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1220", - "name": "XSL Script Processing", - "reference": "https://attack.mitre.org/techniques/T1220/" - } - ] - } - ], - "type": "eql", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via MsXsl", + "query": "sequence by process.entity_id\n [process where process.name : \"msxsl.exe\" and event.type == \"start\"]\n [network where process.name : \"msxsl.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", + "risk_score": 21, + "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1220", + "name": "XSL Script Processing", + "reference": "https://attack.mitre.org/techniques/T1220/" + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b90cdde7-7e0d-4359-8bf0-2c112ce2008a.json b/packages/security_detection_engine/kibana/security_rule/rule-b90cdde7-7e0d-4359-8bf0-2c112ce2008a.json index 67403ea650a..e3816000d26 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b90cdde7-7e0d-4359-8bf0-2c112ce2008a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b90cdde7-7e0d-4359-8bf0-2c112ce2008a.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", - "references": [ - "https://github.com/hfiref0x/UACME" - ], - "risk_score": 73, - "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Access Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", + "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", + "references": [ + "https://github.com/hfiref0x/UACME" + ], + "risk_score": 73, + "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Access Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b9666521-4742-49ce-9ddc-b8e84c35acae.json b/packages/security_detection_engine/kibana/security_rule/rule-b9666521-4742-49ce-9ddc-b8e84c35acae.json index fc600826210..1d37d956807 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b9666521-4742-49ce-9ddc-b8e84c35acae.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b9666521-4742-49ce-9ddc-b8e84c35acae.json @@ -1,65 +1,69 @@ { - "author": [ - "Elastic" - ], - "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", - "false_positives": [ - "Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "lucene", - "license": "Elastic License v2", - "max_signals": 33, - "name": "Creation of Hidden Files and Directories", - "query": "event.category:process AND event.type:(start or process_started) AND process.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\") AND process.args:/\\.[a-zA-Z0-9_\\-][a-zA-Z0-9_\\-\\.]{1,254}/ AND NOT process.name:(ls or find)", - "risk_score": 47, - "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", + "false_positives": [ + "Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "lucene", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Creation of Hidden Files and Directories", + "query": "event.category:process AND event.type:(start or process_started) AND process.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\") AND process.args:/\\.[a-zA-Z0-9_\\-][a-zA-Z0-9_\\-\\.]{1,254}/ AND NOT process.name:(ls or find)", + "risk_score": 47, + "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1564", - "name": "Hide Artifacts", - "reference": "https://attack.mitre.org/techniques/T1564/", - "subtechnique": [ - { - "id": "T1564.001", - "name": "Hidden Files and Directories", - "reference": "https://attack.mitre.org/techniques/T1564/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "b9666521-4742-49ce-9ddc-b8e84c35acae", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-b9960fef-82c6-4816-befa-44745030e917.json b/packages/security_detection_engine/kibana/security_rule/rule-b9960fef-82c6-4816-befa-44745030e917.json index 0b65ae8e9b7..6f9ca829a49 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-b9960fef-82c6-4816-befa-44745030e917.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-b9960fef-82c6-4816-befa-44745030e917.json @@ -1,78 +1,82 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "SolarWinds Process Disabling Services via Registry", - "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\" and registry.data.strings == \"4\" and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\", \n \"ConfigurationWizard*.exe\", \n \"NetflowDatabaseMaintenance*.exe\", \n \"NetFlowService*.exe\", \n \"SolarWinds.Administration*.exe\", \n \"SolarWinds.Collector.Service*.exe\" , \n \"SolarwindsDiagnostics*.exe\")\n", - "references": [ - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" - ], - "risk_score": 47, - "rule_id": "b9960fef-82c6-4816-befa-44745030e917", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SolarWinds Process Disabling Services via Registry", + "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\" and registry.data.strings == \"4\" and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\", \n \"ConfigurationWizard*.exe\", \n \"NetflowDatabaseMaintenance*.exe\", \n \"NetFlowService*.exe\", \n \"SolarWinds.Administration*.exe\", \n \"SolarWinds.Collector.Service*.exe\" , \n \"SolarwindsDiagnostics*.exe\")\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + ], + "risk_score": 47, + "rule_id": "b9960fef-82c6-4816-befa-44745030e917", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1195", - "name": "Supply Chain Compromise", - "reference": "https://attack.mitre.org/techniques/T1195/", - "subtechnique": [ - { - "id": "T1195.002", - "name": "Compromise Software Supply Chain", - "reference": "https://attack.mitre.org/techniques/T1195/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "b9960fef-82c6-4816-befa-44745030e917", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ba342eb2-583c-439f-b04d-1fdd7c1417cc.json b/packages/security_detection_engine/kibana/security_rule/rule-ba342eb2-583c-439f-b04d-1fdd7c1417cc.json index 539ebc14971..28b16f644c8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ba342eb2-583c-439f-b04d-1fdd7c1417cc.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ba342eb2-583c-439f-b04d-1fdd7c1417cc.json @@ -1,31 +1,35 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", - "false_positives": [ - "A newly installed program or one that rarely uses the network could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "windows_anomalous_network_activity_ecs", - "name": "Unusual Windows Network Activity", - "note": "### Investigating Unusual Network Activity ###\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 4 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "windows_anomalous_network_activity_ecs", + "name": "Unusual Windows Network Activity", + "note": "### Investigating Unusual Network Activity ###\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 4 + }, + "id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-baa5d22c-5e1c-4f33-bfc9-efa73bb53022.json b/packages/security_detection_engine/kibana/security_rule/rule-baa5d22c-5e1c-4f33-bfc9-efa73bb53022.json index 2010d17062c..d62b12748d5 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-baa5d22c-5e1c-4f33-bfc9-efa73bb53022.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-baa5d22c-5e1c-4f33-bfc9-efa73bb53022.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Image Load (taskschd.dll) from MS Office", - "query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n event.action : \"load\" and\n event.category : \"library\" and\n dll.name : \"taskschd.dll\"\n", - "references": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf" - ], - "risk_score": 21, - "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Image Load (taskschd.dll) from MS Office", + "query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n event.action : \"load\" and\n event.category : \"library\" and\n dll.name : \"taskschd.dll\"\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf" + ], + "risk_score": 21, + "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-bb4fe8d2-7ae2-475c-8b5d-55b449e4264f.json b/packages/security_detection_engine/kibana/security_rule/rule-bb4fe8d2-7ae2-475c-8b5d-55b449e4264f.json index a508eae712b..6b09fc3b9d6 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-bb4fe8d2-7ae2-475c-8b5d-55b449e4264f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-bb4fe8d2-7ae2-475c-8b5d-55b449e4264f.json @@ -1,75 +1,79 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.", - "false_positives": [ - "Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Resource Group Deletion", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\" and event.outcome:(Success or success)", - "references": [ - "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal" - ], - "risk_score": 47, - "rule_id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.", + "false_positives": [ + "Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Resource Group Deletion", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\" and event.outcome:(Success or success)", + "references": [ + "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal" + ], + "risk_score": 47, + "rule_id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] }, - "technique": [ - { - "id": "T1485", - "name": "Data Destruction", - "reference": "https://attack.mitre.org/techniques/T1485/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-bb9b13b2-1700-48a8-a750-b43b0a72ab69.json b/packages/security_detection_engine/kibana/security_rule/rule-bb9b13b2-1700-48a8-a750-b43b0a72ab69.json index 30c47ebde30..7a65cf592e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-bb9b13b2-1700-48a8-a750-b43b0a72ab69.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-bb9b13b2-1700-48a8-a750-b43b0a72ab69.json @@ -1,63 +1,67 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.", - "false_positives": [ - "Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS EC2 Encryption Disabled", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success", - "references": [ - "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html" - ], - "risk_score": 47, - "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Data Protection" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1565", - "name": "Data Manipulation", - "reference": "https://attack.mitre.org/techniques/T1565/", - "subtechnique": [ - { - "id": "T1565.001", - "name": "Stored Data Manipulation", - "reference": "https://attack.mitre.org/techniques/T1565/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.", + "false_positives": [ + "Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 Encryption Disabled", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success", + "references": [ + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html" + ], + "risk_score": 47, + "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Data Protection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1565", + "name": "Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/", + "subtechnique": [ + { + "id": "T1565.001", + "name": "Stored Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-bbd1a775-8267-41fa-9232-20e5582596ac.json b/packages/security_detection_engine/kibana/security_rule/rule-bbd1a775-8267-41fa-9232-20e5582596ac.json index b514e2512c2..cd86872093e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-bbd1a775-8267-41fa-9232-20e5582596ac.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-bbd1a775-8267-41fa-9232-20e5582596ac.json @@ -1,36 +1,40 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.", - "false_positives": [ - "Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and event.category:web and event.action:TeamsTenantSettingChanged and o365.audit.Name:\"Allow sideloading and interaction of custom apps\" and o365.audit.NewValue:True and event.outcome:success", - "references": [ - "https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload" - ], - "risk_score": 47, - "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.", + "false_positives": [ + "Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams Custom Application Interaction Allowed", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and event.category:web and event.action:TeamsTenantSettingChanged and o365.audit.Name:\"Allow sideloading and interaction of custom apps\" and o365.audit.NewValue:True and event.outcome:success", + "references": [ + "https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload" + ], + "risk_score": 47, + "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "bbd1a775-8267-41fa-9232-20e5582596ac", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json b/packages/security_detection_engine/kibana/security_rule/rule-bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json index 5a5a75586dc..fd09a77920c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.", - "false_positives": [ - "Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Root Login Without MFA", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success", - "references": [ - "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" - ], - "risk_score": 73, - "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc", - "severity": "high", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.", + "false_positives": [ + "Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Root Login Without MFA", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" + ], + "risk_score": 73, + "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json b/packages/security_detection_engine/kibana/security_rule/rule-bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json index ad57c1f779e..2e8ac78bf6d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.", - "false_positives": [ - "Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Storage Bucket Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.delete", - "references": [ - "https://cloud.google.com/storage/docs/key-terms#buckets" - ], - "risk_score": 47, - "rule_id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1485", - "name": "Data Destruction", - "reference": "https://attack.mitre.org/techniques/T1485/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.", + "false_positives": [ + "Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Storage Bucket Deletion", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.delete", + "references": [ + "https://cloud.google.com/storage/docs/key-terms#buckets" + ], + "risk_score": 47, + "rule_id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-bc1eeacf-2972-434f-b782-3a532b100d67.json b/packages/security_detection_engine/kibana/security_rule/rule-bc1eeacf-2972-434f-b782-3a532b100d67.json index d4f5c982665..b9df91d0407 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-bc1eeacf-2972-434f-b782-3a532b100d67.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-bc1eeacf-2972-434f-b782-3a532b100d67.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.", - "false_positives": [ - "Certain applications may install root certificates for the purpose of inspecting SSL traffic." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Install Root Certificate", - "query": "event.category:process and event.type:(start or process_started) and process.name:security and process.args:\"add-trusted-cert\"", - "references": [ - "https://ss64.com/osx/security-cert.html" - ], - "risk_score": 47, - "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1553", - "name": "Subvert Trust Controls", - "reference": "https://attack.mitre.org/techniques/T1553/", - "subtechnique": [ - { - "id": "T1553.004", - "name": "Install Root Certificate", - "reference": "https://attack.mitre.org/techniques/T1553/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.", + "false_positives": [ + "Certain applications may install root certificates for the purpose of inspecting SSL traffic." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Install Root Certificate", + "query": "event.category:process and event.type:(start or process_started) and process.name:security and process.args:\"add-trusted-cert\"", + "references": [ + "https://ss64.com/osx/security-cert.html" + ], + "risk_score": 47, + "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.004", + "name": "Install Root Certificate", + "reference": "https://attack.mitre.org/techniques/T1553/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "bc1eeacf-2972-434f-b782-3a532b100d67", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-bc48bba7-4a23-4232-b551-eca3ca1e3f20.json b/packages/security_detection_engine/kibana/security_rule/rule-bc48bba7-4a23-4232-b551-eca3ca1e3f20.json index 7927b721f45..e6d01b7b9a8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-bc48bba7-4a23-4232-b551-eca3ca1e3f20.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-bc48bba7-4a23-4232-b551-eca3ca1e3f20.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Conditional Access Policy Modified", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and ( azure.activitylogs.operation_name:\"Update policy\" or azure.auditlogs.operation_name:\"Update policy\" ) and event.outcome:(Success or success)", - "references": [ - "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview" - ], - "risk_score": 47, - "rule_id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Conditional Access Policy Modified", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and ( azure.activitylogs.operation_name:\"Update policy\" or azure.auditlogs.operation_name:\"Update policy\" ) and event.outcome:(Success or success)", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview" + ], + "risk_score": 47, + "rule_id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-bca7d28e-4a48-47b1-adb7-5074310e9a61.json b/packages/security_detection_engine/kibana/security_rule/rule-bca7d28e-4a48-47b1-adb7-5074310e9a61.json index 8ce537f3d58..4096fa3bd2d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-bca7d28e-4a48-47b1-adb7-5074310e9a61.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-bca7d28e-4a48-47b1-adb7-5074310e9a61.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.", - "false_positives": [ - "Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Service Account Disabled", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success", - "references": [ - "https://cloud.google.com/iam/docs/service-accounts" - ], - "risk_score": 47, - "rule_id": "bca7d28e-4a48-47b1-adb7-5074310e9a61", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.", + "false_positives": [ + "Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Service Account Disabled", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success", + "references": [ + "https://cloud.google.com/iam/docs/service-accounts" + ], + "risk_score": 47, + "rule_id": "bca7d28e-4a48-47b1-adb7-5074310e9a61", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "bca7d28e-4a48-47b1-adb7-5074310e9a61", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-bd7eefee-f671-494e-98df-f01daf9e5f17.json b/packages/security_detection_engine/kibana/security_rule/rule-bd7eefee-f671-494e-98df-f01daf9e5f17.json index 19718c79ada..77c69351dfb 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-bd7eefee-f671-494e-98df-f01daf9e5f17.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-bd7eefee-f671-494e-98df-f01daf9e5f17.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Print Spooler Point and Print DLL", - "query": "sequence by host.id with maxspan=30s\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n", - "references": [ - "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", - "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030" - ], - "risk_score": 73, - "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Print Spooler Point and Print DLL", + "query": "sequence by host.id with maxspan=30s\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n", + "references": [ + "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", + "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030" + ], + "risk_score": 73, + "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "bd7eefee-f671-494e-98df-f01daf9e5f17", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-be8afaed-4bcd-4e0a-b5f9-5562003dde81.json b/packages/security_detection_engine/kibana/security_rule/rule-be8afaed-4bcd-4e0a-b5f9-5562003dde81.json index aac78931a28..c90cd2152aa 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-be8afaed-4bcd-4e0a-b5f9-5562003dde81.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-be8afaed-4bcd-4e0a-b5f9-5562003dde81.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Searching for Saved Credentials via VaultCmd", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", - "references": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://rastamouse.me/blog/rdp-jump-boxes/" - ], - "risk_score": 47, - "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Searching for Saved Credentials via VaultCmd", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://rastamouse.me/blog/rdp-jump-boxes/" + ], + "risk_score": 47, + "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json b/packages/security_detection_engine/kibana/security_rule/rule-bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json index 0b906f7f4e2..4a9fa78c8b2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json @@ -1,84 +1,88 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "query": "library where dll.name :\n (\n \"wlbsctrl.dll\",\n \"wbemcomn.dll\",\n \"WptsExtensions.dll\",\n \"Tsmsisrv.dll\",\n \"TSVIPSrv.dll\",\n \"Msfte.dll\",\n \"wow64log.dll\",\n \"WindowsCoreDeviceInfo.dll\",\n \"Ualapi.dll\",\n \"wlanhlp.dll\",\n \"phoneinfo.dll\",\n \"EdgeGdi.dll\",\n \"cdpsgshims.dll\",\n \"windowsperformancerecordercontrol.dll\",\n \"diagtrack_win.dll\"\n ) and \nnot (dll.code_signature.subject_name : \"Microsoft Windows\" and dll.code_signature.status : \"trusted\")\n", - "references": [ - "https://itm4n.github.io/windows-dll-hijacking-clarified/", - "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", - "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", - "https://shellz.club/edgegdi-dll-for-persistence-and-lateral-movement/", - "https://windows-internals.com/faxing-your-way-to-system/", - "http://waleedassar.blogspot.com/2013/01/wow64logdll.html" - ], - "risk_score": 73, - "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", + "query": "library where dll.name :\n (\n \"wlbsctrl.dll\",\n \"wbemcomn.dll\",\n \"WptsExtensions.dll\",\n \"Tsmsisrv.dll\",\n \"TSVIPSrv.dll\",\n \"Msfte.dll\",\n \"wow64log.dll\",\n \"WindowsCoreDeviceInfo.dll\",\n \"Ualapi.dll\",\n \"wlanhlp.dll\",\n \"phoneinfo.dll\",\n \"EdgeGdi.dll\",\n \"cdpsgshims.dll\",\n \"windowsperformancerecordercontrol.dll\",\n \"diagtrack_win.dll\"\n ) and \nnot (dll.code_signature.subject_name : \"Microsoft Windows\" and dll.code_signature.status : \"trusted\")\n", + "references": [ + "https://itm4n.github.io/windows-dll-hijacking-clarified/", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", + "https://shellz.club/edgegdi-dll-for-persistence-and-lateral-movement/", + "https://windows-internals.com/faxing-your-way-to-system/", + "http://waleedassar.blogspot.com/2013/01/wow64logdll.html" + ], + "risk_score": 73, + "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.002", - "name": "DLL Side-Loading", - "reference": "https://attack.mitre.org/techniques/T1574/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.001", - "name": "DLL Search Order Hijacking", - "reference": "https://attack.mitre.org/techniques/T1574/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d.json b/packages/security_detection_engine/kibana/security_rule/rule-c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d.json index 165f10344df..6e732338f04 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d.json @@ -1,64 +1,68 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "query": "process where event.type in (\"start\", \"process_started\") and \n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and \n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n", - "references": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/" - ], - "risk_score": 73, - "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Privilege Escalation", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privacy Control Bypass via Localhost Secure Copy", + "query": "process where event.type in (\"start\", \"process_started\") and \n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and \n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n", + "references": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/" + ], + "risk_score": 73, + "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Privilege Escalation", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c0429aa8-9974-42da-bfb6-53a0a515a145.json b/packages/security_detection_engine/kibana/security_rule/rule-c0429aa8-9974-42da-bfb6-53a0a515a145.json index b3743202431..0d335ebe713 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c0429aa8-9974-42da-bfb6-53a0a515a145.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c0429aa8-9974-42da-bfb6-53a0a515a145.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Creation or Modification of a new GPO Scheduled Task or Service", - "query": "event.category:file and not event.type:deletion and file.path:(C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml or C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml) and not process.name:dfsrs.exe", - "risk_score": 21, - "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Creation or Modification of a new GPO Scheduled Task or Service", + "query": "event.category:file and not event.type:deletion and file.path:(C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml or C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml) and not process.name:dfsrs.exe", + "risk_score": 21, + "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "c0429aa8-9974-42da-bfb6-53a0a515a145", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c0be5f31-e180-48ed-aa08-96b36899d48f.json b/packages/security_detection_engine/kibana/security_rule/rule-c0be5f31-e180-48ed-aa08-96b36899d48f.json index 9242d175a41..0ceaebc0e7e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c0be5f31-e180-48ed-aa08-96b36899d48f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c0be5f31-e180-48ed-aa08-96b36899d48f.json @@ -1,24 +1,28 @@ { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Credential Manipulation - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)", - "risk_score": 73, - "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", - "severity": "high", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Credential Manipulation - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)", + "risk_score": 73, + "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 5 + }, + "id": "c0be5f31-e180-48ed-aa08-96b36899d48f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c25e9c87-95e1-4368-bfab-9fd34cf867ec.json b/packages/security_detection_engine/kibana/security_rule/rule-c25e9c87-95e1-4368-bfab-9fd34cf867ec.json index b9831ccfcb3..3689ecdfb05 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c25e9c87-95e1-4368-bfab-9fd34cf867ec.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c25e9c87-95e1-4368-bfab-9fd34cf867ec.json @@ -1,51 +1,55 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "max_signals": 33, - "name": "Microsoft IIS Connection Strings Decryption", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", - "references": [ - "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia" - ], - "risk_score": 73, - "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Microsoft IIS Connection Strings Decryption", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", + "references": [ + "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia" + ], + "risk_score": 73, + "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c28c4d8c-f014-40ef-88b6-79a1d67cd499.json b/packages/security_detection_engine/kibana/security_rule/rule-c28c4d8c-f014-40ef-88b6-79a1d67cd499.json index 29d04991690..8029aa2a077 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c28c4d8c-f014-40ef-88b6-79a1d67cd499.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c28c4d8c-f014-40ef-88b6-79a1d67cd499.json @@ -1,44 +1,48 @@ { - "anomaly_threshold": 25, - "author": [ - "Elastic" - ], - "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", - "false_positives": [ - "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "linux_network_connection_discovery", - "name": "Unusual Linux Network Connection Discovery", - "risk_score": 21, - "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1049", - "name": "System Network Connections Discovery", - "reference": "https://attack.mitre.org/techniques/T1049/" - } - ] - } - ], - "type": "machine_learning", - "version": 2 + "attributes": { + "anomaly_threshold": 25, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "linux_network_connection_discovery", + "name": "Unusual Linux Network Connection Discovery", + "risk_score": 21, + "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1049", + "name": "System Network Connections Discovery", + "reference": "https://attack.mitre.org/techniques/T1049/" + } + ] + } + ], + "type": "machine_learning", + "version": 2 + }, + "id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c292fa52-4115-408a-b897-e14f684b3cb7.json b/packages/security_detection_engine/kibana/security_rule/rule-c292fa52-4115-408a-b897-e14f684b3cb7.json index cccd27e8414..07ecd15439b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c292fa52-4115-408a-b897-e14f684b3cb7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c292fa52-4115-408a-b897-e14f684b3cb7.json @@ -1,63 +1,67 @@ { - "author": [ - "Elastic" - ], - "description": "A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via Folder Action Script", - "query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"sh\")] by process.ppid\n", - "references": [ - "https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d" - ], - "risk_score": 47, - "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Execution", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Folder Action Script", + "query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"sh\")] by process.ppid\n", + "references": [ + "https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d" + ], + "risk_score": 47, + "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Execution", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] }, - "technique": [ - { - "id": "T1037", - "name": "Boot or Logon Initialization Scripts", - "reference": "https://attack.mitre.org/techniques/T1037/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "type": "eql", - "version": 2 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "c292fa52-4115-408a-b897-e14f684b3cb7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c2d90150-0133-451c-a783-533e736c12d7.json b/packages/security_detection_engine/kibana/security_rule/rule-c2d90150-0133-451c-a783-533e736c12d7.json index 5d1a1f8b996..e50269bbac8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c2d90150-0133-451c-a783-533e736c12d7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c2d90150-0133-451c-a783-533e736c12d7.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Mshta Making Network Connections", - "query": "sequence by process.entity_id with maxspan=2h\n [process where event.type in (\"start\", \"process_started\") and process.name : \"mshta.exe\" and\n not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n not process.args : \"ADSelfService_Enroll.hta\"]\n [network where process.name : \"mshta.exe\"]\n", - "risk_score": 21, - "rule_id": "c2d90150-0133-451c-a783-533e736c12d7", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "Signed Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.005", - "name": "Mshta", - "reference": "https://attack.mitre.org/techniques/T1218/005/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Mshta Making Network Connections", + "query": "sequence by process.entity_id with maxspan=2h\n [process where event.type in (\"start\", \"process_started\") and process.name : \"mshta.exe\" and\n not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n not process.args : \"ADSelfService_Enroll.hta\"]\n [network where process.name : \"mshta.exe\"]\n", + "risk_score": 21, + "rule_id": "c2d90150-0133-451c-a783-533e736c12d7", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.005", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1218/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "c2d90150-0133-451c-a783-533e736c12d7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c3167e1b-f73c-41be-b60b-87f4df707fe3.json b/packages/security_detection_engine/kibana/security_rule/rule-c3167e1b-f73c-41be-b60b-87f4df707fe3.json index 436ab42b7c4..d8c80b22eca 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c3167e1b-f73c-41be-b60b-87f4df707fe3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c3167e1b-f73c-41be-b60b-87f4df707fe3.json @@ -1,24 +1,28 @@ { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Permission Theft - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)", - "risk_score": 73, - "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", - "severity": "high", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Permission Theft - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)", + "risk_score": 73, + "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 5 + }, + "id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json b/packages/security_detection_engine/kibana/security_rule/rule-c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json index 065173da6e1..5bd535c69d3 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Mounting Hidden or WebDav Remote Shares", - "query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", - "risk_score": 21, - "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.002", - "name": "SMB/Windows Admin Shares", - "reference": "https://attack.mitre.org/techniques/T1021/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Mounting Hidden or WebDav Remote Shares", + "query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", + "risk_score": 21, + "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c58c3081-2e1d-4497-8491-e73a45d1a6d6.json b/packages/security_detection_engine/kibana/security_rule/rule-c58c3081-2e1d-4497-8491-e73a45d1a6d6.json index c796ea2b461..2228f6ee725 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c58c3081-2e1d-4497-8491-e73a45d1a6d6.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c58c3081-2e1d-4497-8491-e73a45d1a6d6.json @@ -1,35 +1,39 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.", - "false_positives": [ - "Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Virtual Private Cloud Network Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.networks.delete and event.outcome:success", - "references": [ - "https://cloud.google.com/vpc/docs/vpc" - ], - "risk_score": 47, - "rule_id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.", + "false_positives": [ + "Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Virtual Private Cloud Network Deletion", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.networks.delete and event.outcome:success", + "references": [ + "https://cloud.google.com/vpc/docs/vpc" + ], + "risk_score": 47, + "rule_id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c5ce48a6-7f57-4ee8-9313-3d0024caee10.json b/packages/security_detection_engine/kibana/security_rule/rule-c5ce48a6-7f57-4ee8-9313-3d0024caee10.json index cd84b903e96..5c19b80de1a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c5ce48a6-7f57-4ee8-9313-3d0024caee10.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c5ce48a6-7f57-4ee8-9313-3d0024caee10.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Installation of Custom Shim Databases", - "query": "sequence by process.entity_id with maxspan = 5m\n [process where event.type in (\"start\", \"process_started\") and\n not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n [registry where event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\"]\n", - "risk_score": 21, - "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.011", - "name": "Application Shimming", - "reference": "https://attack.mitre.org/techniques/T1546/011/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Installation of Custom Shim Databases", + "query": "sequence by process.entity_id with maxspan = 5m\n [process where event.type in (\"start\", \"process_started\") and\n not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n [registry where event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\"]\n", + "risk_score": 21, + "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json b/packages/security_detection_engine/kibana/security_rule/rule-c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json index 1eda2d11cb9..de734ff25a4 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json @@ -1,61 +1,65 @@ { - "author": [ - "Elastic" - ], - "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft Build Engine Started by an Office Application", - "query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe)", - "references": [ - "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" - ], - "risk_score": 73, - "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started by an Office Application", + "query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe)", + "references": [ + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" + ], + "risk_score": 73, + "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json b/packages/security_detection_engine/kibana/security_rule/rule-c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json index 5de1a7f934d..189e4f6882e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json @@ -1,51 +1,55 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Remote File Download via MpCmdRun", - "note": "### Investigating Remote File Download via MpCmdRun\nVerify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.", - "query": "event.category:process and event.type:(start or process_started) and (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe) and process.args:((\"-DownloadFile\" or \"-downloadfile\") and \"-url\" and \"-path\")", - "references": [ - "https://twitter.com/mohammadaskar2/status/1301263551638761477", - "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/" - ], - "risk_score": 47, - "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Remote File Download via MpCmdRun", + "note": "### Investigating Remote File Download via MpCmdRun\nVerify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.", + "query": "event.category:process and event.type:(start or process_started) and (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe) and process.args:((\"-DownloadFile\" or \"-downloadfile\") and \"-url\" and \"-path\")", + "references": [ + "https://twitter.com/mohammadaskar2/status/1301263551638761477", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/" + ], + "risk_score": 47, + "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c6474c34-4953-447a-903e-9fcb7b6661aa.json b/packages/security_detection_engine/kibana/security_rule/rule-c6474c34-4953-447a-903e-9fcb7b6661aa.json index 40e3c17b590..b3b135bf4e2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c6474c34-4953-447a-903e-9fcb7b6661aa.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c6474c34-4953-447a-903e-9fcb7b6661aa.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.", - "false_positives": [ - "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 47, - "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.", + "false_positives": [ + "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", + "risk_score": 47, + "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "c6474c34-4953-447a-903e-9fcb7b6661aa", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c749e367-a069-4a73-b1f2-43a3798153ad.json b/packages/security_detection_engine/kibana/security_rule/rule-c749e367-a069-4a73-b1f2-43a3798153ad.json index 3c3e77a75e7..8f69038d324 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c749e367-a069-4a73-b1f2-43a3798153ad.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c749e367-a069-4a73-b1f2-43a3798153ad.json @@ -1,37 +1,41 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Delete an Okta Network Zone", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:zone.delete", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 47, - "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad", - "severity": "medium", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Network Security" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Network Zone", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:zone.delete", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 47, + "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "c749e367-a069-4a73-b1f2-43a3798153ad", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c74fd275-ab2c-4d49-8890-e2943fa65c09.json b/packages/security_detection_engine/kibana/security_rule/rule-c74fd275-ab2c-4d49-8890-e2943fa65c09.json index 8daae0333da..94257736452 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c74fd275-ab2c-4d49-8890-e2943fa65c09.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c74fd275-ab2c-4d49-8890-e2943fa65c09.json @@ -1,37 +1,41 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Modify an Okta Application", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:application.lifecycle.update", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 21, - "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", - "severity": "low", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Application", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:application.lifecycle.update", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 21, + "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json b/packages/security_detection_engine/kibana/security_rule/rule-c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json index d229b43b513..a67a6fdd3f1 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json @@ -1,51 +1,55 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Unusual File Modification by dns.exe", - "note": "### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.", - "query": "event.category:file and process.name:dns.exe and event.type:(creation or deletion or change) and not file.name:dns.log", - "references": [ - "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", - "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/" - ], - "risk_score": 73, - "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1133", - "name": "External Remote Services", - "reference": "https://attack.mitre.org/techniques/T1133/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unusual File Modification by dns.exe", + "note": "### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.", + "query": "event.category:file and process.name:dns.exe and event.type:(creation or deletion or change) and not file.name:dns.log", + "references": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/" + ], + "risk_score": 73, + "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c81cefcb-82b9-4408-a533-3c3df549e62d.json b/packages/security_detection_engine/kibana/security_rule/rule-c81cefcb-82b9-4408-a533-3c3df549e62d.json index 69a83908492..078ca44d57c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c81cefcb-82b9-4408-a533-3c3df549e62d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c81cefcb-82b9-4408-a533-3c3df549e62d.json @@ -1,48 +1,52 @@ { - "author": [ - "Elastic" - ], - "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Persistence via Docker Shortcut Modification", - "query": "event.category : file and event.action : modification and file.path : /Users/*/Library/Preferences/com.apple.dock.plist and not process.name : (xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)", - "references": [ - "https://github.com/specterops/presentations/raw/master/Leo Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf" - ], - "risk_score": 47, - "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Persistence via Docker Shortcut Modification", + "query": "event.category : file and event.action : modification and file.path : /Users/*/Library/Preferences/com.apple.dock.plist and not process.name : (xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)", + "references": [ + "https://github.com/specterops/presentations/raw/master/Leo Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf" + ], + "risk_score": 47, + "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "c81cefcb-82b9-4408-a533-3c3df549e62d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c82b2bd8-d701-420c-ba43-f11a155b681a.json b/packages/security_detection_engine/kibana/security_rule/rule-c82b2bd8-d701-420c-ba43-f11a155b681a.json index 39723f88a11..cc376b713e4 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c82b2bd8-d701-420c-ba43-f11a155b681a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c82b2bd8-d701-420c-ba43-f11a155b681a.json @@ -1,61 +1,65 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector or for data exfiltration.", - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SMB (Windows File Sharing) Activity to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 73, - "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector or for data exfiltration.", + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SMB (Windows File Sharing) Activity to the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", + "risk_score": 73, + "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "c82b2bd8-d701-420c-ba43-f11a155b681a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json b/packages/security_detection_engine/kibana/security_rule/rule-c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json index 9b701a67c7c..39a20d62b5a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json @@ -1,45 +1,49 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Direct Outbound SMB Connection", - "query": "sequence by process.entity_id\n [process where event.type == \"start\" and process.pid != 4]\n [network where destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", - "risk_score": 47, - "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1210", - "name": "Exploitation of Remote Services", - "reference": "https://attack.mitre.org/techniques/T1210/" - } - ] - } - ], - "type": "eql", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Direct Outbound SMB Connection", + "query": "sequence by process.entity_id\n [process where event.type == \"start\" and process.pid != 4]\n [network where destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", + "risk_score": 47, + "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c87fca17-b3a9-4e83-b545-f30746c53920.json b/packages/security_detection_engine/kibana/security_rule/rule-c87fca17-b3a9-4e83-b545-f30746c53920.json index 27f5bce299c..b93d6a01e61 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c87fca17-b3a9-4e83-b545-f30746c53920.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c87fca17-b3a9-4e83-b545-f30746c53920.json @@ -1,33 +1,37 @@ { - "author": [ - "Elastic" - ], - "description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, and identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.", - "false_positives": [ - "Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Nmap Process Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:nmap", - "references": [ - "https://en.wikipedia.org/wiki/Nmap" - ], - "risk_score": 21, - "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, and identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.", + "false_positives": [ + "Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Nmap Process Activity", + "query": "event.category:process and event.type:(start or process_started) and process.name:nmap", + "references": [ + "https://en.wikipedia.org/wiki/Nmap" + ], + "risk_score": 21, + "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "c87fca17-b3a9-4e83-b545-f30746c53920", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa.json b/packages/security_detection_engine/kibana/security_rule/rule-c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa.json index 87d3f9ca3e6..7cb01b2fd9c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa.json @@ -1,24 +1,28 @@ { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Credential Manipulation - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)", - "risk_score": 47, - "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", - "severity": "medium", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Credential Manipulation - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)", + "risk_score": 47, + "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 5 + }, + "id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ca79768e-40e1-4e45-a097-0e5fbc876ac2.json b/packages/security_detection_engine/kibana/security_rule/rule-ca79768e-40e1-4e45-a097-0e5fbc876ac2.json index a97d1d6ef5e..1fb9caaf557 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ca79768e-40e1-4e45-a097-0e5fbc876ac2.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ca79768e-40e1-4e45-a097-0e5fbc876ac2.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.", - "false_positives": [ - "A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", - "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps" - ], - "risk_score": 47, - "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.", + "false_positives": [ + "A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Malware Filter Rule Modification", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps" + ], + "risk_score": 47, + "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-cab4f01c-793f-4a54-a03e-e5d85b96d7af.json b/packages/security_detection_engine/kibana/security_rule/rule-cab4f01c-793f-4a54-a03e-e5d85b96d7af.json index 8514d6209bb..94ad8f6de0d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-cab4f01c-793f-4a54-a03e-e5d85b96d7af.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-cab4f01c-793f-4a54-a03e-e5d85b96d7af.json @@ -1,61 +1,65 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies that a login attempt has happened from a forbidden location.", - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Auditd Login from Forbidden Location", - "query": "event.module:auditd and event.action:\"attempted-log-in-from-unusual-place-to\"", - "references": [ - "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412" - ], - "risk_score": 73, - "rule_id": "cab4f01c-793f-4a54-a03e-e5d85b96d7af", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies that a login attempt has happened from a forbidden location.", + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Auditd Login from Forbidden Location", + "query": "event.module:auditd and event.action:\"attempted-log-in-from-unusual-place-to\"", + "references": [ + "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412" + ], + "risk_score": 73, + "rule_id": "cab4f01c-793f-4a54-a03e-e5d85b96d7af", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "cab4f01c-793f-4a54-a03e-e5d85b96d7af", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json b/packages/security_detection_engine/kibana/security_rule/rule-cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json index 7ddbd506209..4f1825f6ac6 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json @@ -1,37 +1,41 @@ { - "author": [ - "Elastic" - ], - "description": "Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization\u2019s security controls.", - "false_positives": [ - "MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace MFA Enforcement Disabled", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", - "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and gsuite.admin.new_value:false", - "references": [ - "https://support.google.com/a/answer/9176657?hl=en#" - ], - "risk_score": 47, - "rule_id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization\u2019s security controls.", + "false_positives": [ + "MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace MFA Enforcement Disabled", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and gsuite.admin.new_value:false", + "references": [ + "https://support.google.com/a/answer/9176657?hl=en#" + ], + "risk_score": 47, + "rule_id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51.json b/packages/security_detection_engine/kibana/security_rule/rule-cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51.json index 8bb2b8513fe..941dffd9d18 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.", - "false_positives": [ - "Trusted applications for managing calendars and reminders." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "auditbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious Calendar File Modification", - "query": "event.category:file and event.action:modification and file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and process.executable: (* and not ( /System/Library/* or /System/Applications/Calendar.app/Contents/MacOS/* or /usr/libexec/xpcproxy or /sbin/launchd or /Applications/* ) )", - "references": [ - "https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos", - "https://github.com/FSecureLABS/CalendarPersist", - "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js" - ], - "risk_score": 47, - "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.", + "false_positives": [ + "Trusted applications for managing calendars and reminders." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Calendar File Modification", + "query": "event.category:file and event.action:modification and file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and process.executable: (* and not ( /System/Library/* or /System/Applications/Calendar.app/Contents/MacOS/* or /usr/libexec/xpcproxy or /sbin/launchd or /Applications/* ) )", + "references": [ + "https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos", + "https://github.com/FSecureLABS/CalendarPersist", + "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js" + ], + "risk_score": 47, + "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-cc16f774-59f9-462d-8b98-d27ccd4519ec.json b/packages/security_detection_engine/kibana/security_rule/rule-cc16f774-59f9-462d-8b98-d27ccd4519ec.json index 8fd3005b752..18a91f4542f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-cc16f774-59f9-462d-8b98-d27ccd4519ec.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-cc16f774-59f9-462d-8b98-d27ccd4519ec.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries may attempt to get information about running processes on a system.", - "false_positives": [ - "Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Process Discovery via Tasklist", - "query": "event.category:process and event.type:(start or process_started) and process.name:tasklist.exe", - "risk_score": 21, - "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1057", - "name": "Process Discovery", - "reference": "https://attack.mitre.org/techniques/T1057/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may attempt to get information about running processes on a system.", + "false_positives": [ + "Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Process Discovery via Tasklist", + "query": "event.category:process and event.type:(start or process_started) and process.name:tasklist.exe", + "risk_score": 21, + "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "cc16f774-59f9-462d-8b98-d27ccd4519ec", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-cc2fd2d0-ba3a-4939-b87f-2901764ed036.json b/packages/security_detection_engine/kibana/security_rule/rule-cc2fd2d0-ba3a-4939-b87f-2901764ed036.json index 1e6acb1db93..8abcee27bba 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-cc2fd2d0-ba3a-4939-b87f-2901764ed036.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-cc2fd2d0-ba3a-4939-b87f-2901764ed036.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Enable the Root Account", - "query": "event.category:process and event.type:(start or process_started) and process.name:dsenableroot and not process.args:\"-d\"", - "references": [ - "https://ss64.com/osx/dsenableroot.html" - ], - "risk_score": 47, - "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.003", - "name": "Local Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Enable the Root Account", + "query": "event.category:process and event.type:(start or process_started) and process.name:dsenableroot and not process.args:\"-d\"", + "references": [ + "https://ss64.com/osx/dsenableroot.html" + ], + "risk_score": 47, + "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-cc89312d-6f47-48e4-a87c-4977bd4633c3.json b/packages/security_detection_engine/kibana/security_rule/rule-cc89312d-6f47-48e4-a87c-4977bd4633c3.json index 1566a1cfba5..286c566864b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-cc89312d-6f47-48e4-a87c-4977bd4633c3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-cc89312d-6f47-48e4-a87c-4977bd4633c3.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.", - "false_positives": [ - "Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Pub/Sub Subscription Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success", - "references": [ - "https://cloud.google.com/pubsub/docs/overview" - ], - "risk_score": 21, - "rule_id": "cc89312d-6f47-48e4-a87c-4977bd4633c3", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.", + "false_positives": [ + "Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Pub/Sub Subscription Deletion", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success", + "references": [ + "https://cloud.google.com/pubsub/docs/overview" + ], + "risk_score": 21, + "rule_id": "cc89312d-6f47-48e4-a87c-4977bd4633c3", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "cc89312d-6f47-48e4-a87c-4977bd4633c3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-cc92c835-da92-45c9-9f29-b4992ad621a0.json b/packages/security_detection_engine/kibana/security_rule/rule-cc92c835-da92-45c9-9f29-b4992ad621a0.json index 8365465748e..167827399ac 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-cc92c835-da92-45c9-9f29-b4992ad621a0.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-cc92c835-da92-45c9-9f29-b4992ad621a0.json @@ -1,37 +1,41 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Deactivate an Okta Policy Rule", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:policy.rule.deactivate", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 47, - "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0", - "severity": "medium", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate an Okta Policy Rule", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:policy.rule.deactivate", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 47, + "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "cc92c835-da92-45c9-9f29-b4992ad621a0", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ccc55af4-9882-4c67-87b4-449a7ae8079c.json b/packages/security_detection_engine/kibana/security_rule/rule-ccc55af4-9882-4c67-87b4-449a7ae8079c.json index 59f558e99bb..abf2d25e0cb 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ccc55af4-9882-4c67-87b4-449a7ae8079c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ccc55af4-9882-4c67-87b4-449a7ae8079c.json @@ -1,48 +1,52 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate an evasion attempt to execute malicious code in a stealthy way.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Process Herpaderping Attempt", - "query": "sequence with maxspan=5s\n [process where event.type == \"start\" and not process.parent.executable : \"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\"] by host.id, process.executable, process.parent.entity_id\n [file where event.type == \"change\" and event.action == \"overwrite\" and file.extension == \"exe\"] by host.id, file.path, process.entity_id\n", - "references": [ - "https://github.com/jxy-s/herpaderping" - ], - "risk_score": 73, - "rule_id": "ccc55af4-9882-4c67-87b4-449a7ae8079c", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate an evasion attempt to execute malicious code in a stealthy way.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Process Herpaderping Attempt", + "query": "sequence with maxspan=5s\n [process where event.type == \"start\" and not process.parent.executable : \"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\"] by host.id, process.executable, process.parent.entity_id\n [file where event.type == \"change\" and event.action == \"overwrite\" and file.extension == \"exe\"] by host.id, file.path, process.entity_id\n", + "references": [ + "https://github.com/jxy-s/herpaderping" + ], + "risk_score": 73, + "rule_id": "ccc55af4-9882-4c67-87b4-449a7ae8079c", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "ccc55af4-9882-4c67-87b4-449a7ae8079c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-cd16fb10-0261-46e8-9932-a0336278cdbe.json b/packages/security_detection_engine/kibana/security_rule/rule-cd16fb10-0261-46e8-9932-a0336278cdbe.json index 8581633dae6..193176ed6a6 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-cd16fb10-0261-46e8-9932-a0336278cdbe.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-cd16fb10-0261-46e8-9932-a0336278cdbe.json @@ -1,37 +1,41 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Modification or Removal of an Okta Application Sign-On Policy", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 47, - "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe", - "severity": "medium", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification or Removal of an Okta Application Sign-On Policy", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 47, + "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "cd16fb10-0261-46e8-9932-a0336278cdbe", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126.json b/packages/security_detection_engine/kibana/security_rule/rule-cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126.json index fdde6157736..84b08f46474 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126.json @@ -1,33 +1,37 @@ { - "author": [ - "Elastic" - ], - "description": "A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell, or by serving a shell on a listening port. Socat is also sometimes used for lateral movement.", - "false_positives": [ - "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Socat Process Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:socat and not process.args:-V", - "references": [ - "https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat" - ], - "risk_score": 47, - "rule_id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell, or by serving a shell on a listening port. Socat is also sometimes used for lateral movement.", + "false_positives": [ + "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Socat Process Activity", + "query": "event.category:process and event.type:(start or process_started) and process.name:socat and not process.args:-V", + "references": [ + "https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat" + ], + "risk_score": 47, + "rule_id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530.json b/packages/security_detection_engine/kibana/security_rule/rule-cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530.json index 031f520910f..339d3f33c03 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530.json @@ -1,27 +1,31 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.", - "false_positives": [ - "Uncommon compiler activity can be due to an engineer running a local build on a prod or staging instance in the course of troubleshooting or fixing a software issue." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "linux_rare_user_compiler", - "name": "Anomalous Linux Compiler Activity", - "risk_score": 21, - "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 2 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.", + "false_positives": [ + "Uncommon compiler activity can be due to an engineer running a local build on a prod or staging instance in the course of troubleshooting or fixing a software issue." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "linux_rare_user_compiler", + "name": "Anomalous Linux Compiler Activity", + "risk_score": 21, + "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 2 + }, + "id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-cd66a5af-e34b-4bb0-8931-57d0a043f2ef.json b/packages/security_detection_engine/kibana/security_rule/rule-cd66a5af-e34b-4bb0-8931-57d0a043f2ef.json index dff79651c9d..50b0a471c6e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-cd66a5af-e34b-4bb0-8931-57d0a043f2ef.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-cd66a5af-e34b-4bb0-8931-57d0a043f2ef.json @@ -1,80 +1,84 @@ { - "author": [ - "Elastic" - ], - "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.", - "false_positives": [ - "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kernel Module Removal", - "query": "event.category:process and event.type:(start or process_started) and process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))", - "references": [ - "http://man7.org/linux/man-pages/man8/modprobe.8.html" - ], - "risk_score": 73, - "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.", + "false_positives": [ + "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kernel Module Removal", + "query": "event.category:process and event.type:(start or process_started) and process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))", + "references": [ + "http://man7.org/linux/man-pages/man8/modprobe.8.html" + ], + "risk_score": 73, + "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.006", - "name": "Kernel Modules and Extensions", - "reference": "https://attack.mitre.org/techniques/T1547/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-cd89602e-9db0-48e3-9391-ae3bf241acd8.json b/packages/security_detection_engine/kibana/security_rule/rule-cd89602e-9db0-48e3-9391-ae3bf241acd8.json index 870b660ff21..2b92c5091c3 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-cd89602e-9db0-48e3-9391-ae3bf241acd8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-cd89602e-9db0-48e3-9391-ae3bf241acd8.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.", - "false_positives": [ - "If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Deactivate MFA for an Okta User Account", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 21, - "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", - "severity": "low", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.", + "false_positives": [ + "If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate MFA for an Okta User Account", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 21, + "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ce64d965-6cb0-466d-b74f-8d2c76f47f05.json b/packages/security_detection_engine/kibana/security_rule/rule-ce64d965-6cb0-466d-b74f-8d2c76f47f05.json index 0e1b373679e..629349c40b8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ce64d965-6cb0-466d-b74f-8d2c76f47f05.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ce64d965-6cb0-466d-b74f-8d2c76f47f05.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", - "false_positives": [ - "Legitimate exchange system administration activity." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", - "references": [ - "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", - "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps" - ], - "risk_score": 47, - "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Collection" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1114", - "name": "Email Collection", - "reference": "https://attack.mitre.org/techniques/T1114/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", + "false_positives": [ + "Legitimate exchange system administration activity." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps" + ], + "risk_score": 47, + "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Collection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-cf53f532-9cc9-445a-9ae7-fced307ec53c.json b/packages/security_detection_engine/kibana/security_rule/rule-cf53f532-9cc9-445a-9ae7-fced307ec53c.json index 95d7ce90254..bab71c9b2b5 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-cf53f532-9cc9-445a-9ae7-fced307ec53c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-cf53f532-9cc9-445a-9ae7-fced307ec53c.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.", - "false_positives": [ - "This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected." - ], - "index": [ - "packetbeat-*" - ], - "language": "lucene", - "license": "Elastic License v2", - "name": "Cobalt Strike Command and Control Beacon", - "note": "This activity has been observed in FIN7 campaigns.", - "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/", - "references": [ - "https://blog.morphisec.com/fin7-attacks-restaurant-industry", - "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" - ], - "risk_score": 73, - "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c", - "severity": "high", - "tags": [ - "Elastic", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.", + "false_positives": [ + "This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected." + ], + "index": [ + "packetbeat-*" + ], + "language": "lucene", + "license": "Elastic License v2", + "name": "Cobalt Strike Command and Control Beacon", + "note": "This activity has been observed in FIN7 campaigns.", + "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/", + "references": [ + "https://blog.morphisec.com/fin7-attacks-restaurant-industry", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" + ], + "risk_score": 73, + "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c", + "severity": "high", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" }, - { - "id": "T1568", - "name": "Dynamic Resolution", - "reference": "https://attack.mitre.org/techniques/T1568/", - "subtechnique": [ - { - "id": "T1568.002", - "name": "Domain Generation Algorithms", - "reference": "https://attack.mitre.org/techniques/T1568/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + }, + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "cf53f532-9cc9-445a-9ae7-fced307ec53c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-cf549724-c577-4fd6-8f9b-d1b8ec519ec0.json b/packages/security_detection_engine/kibana/security_rule/rule-cf549724-c577-4fd6-8f9b-d1b8ec519ec0.json index 8e61731dde7..7c48509f1af 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-cf549724-c577-4fd6-8f9b-d1b8ec519ec0.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-cf549724-c577-4fd6-8f9b-d1b8ec519ec0.json @@ -1,37 +1,41 @@ { - "author": [ - "Elastic" - ], - "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.", - "false_positives": [ - "Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Domain Added to Google Workspace Trusted Domains", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", - "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS", - "references": [ - "https://support.google.com/a/answer/6160020?hl=en" - ], - "risk_score": 73, - "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", - "severity": "high", - "tags": [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.", + "false_positives": [ + "Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Domain Added to Google Workspace Trusted Domains", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS", + "references": [ + "https://support.google.com/a/answer/6160020?hl=en" + ], + "risk_score": 73, + "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-cff92c41-2225-4763-b4ce-6f71e5bda5e6.json b/packages/security_detection_engine/kibana/security_rule/rule-cff92c41-2225-4763-b4ce-6f71e5bda5e6.json index f04781f76b7..2ca9d215858 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-cff92c41-2225-4763-b4ce-6f71e5bda5e6.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-cff92c41-2225-4763-b4ce-6f71e5bda5e6.json @@ -1,30 +1,34 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Execution from Unusual Directory - Command Line", - "note": "This is related to the Process Execution from an Unusual Directory rule", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"wscript.exe\", \n \"cscript.exe\", \n \"rundll32.exe\", \n \"regsvr32.exe\", \n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\", \n \"powershell.exe\", \n \"pwsh.exe\", \n \"cmd.exe\") and\n \n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\", \n \"C:\\\\AMD\\\\Temp\\\\*\", \n \"C:\\\\Windows\\\\AppReadiness\\\\*\", \n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\ServiceProfiles\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\Web\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\assembly\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and process.args : (\"uxtheme.dll,#64\", \"PRINTUI.DLL,PrintUIEntry\"))\n", - "risk_score": 47, - "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution from Unusual Directory - Command Line", + "note": "This is related to the Process Execution from an Unusual Directory rule", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"wscript.exe\", \n \"cscript.exe\", \n \"rundll32.exe\", \n \"regsvr32.exe\", \n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\", \n \"powershell.exe\", \n \"pwsh.exe\", \n \"cmd.exe\") and\n \n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\", \n \"C:\\\\AMD\\\\Temp\\\\*\", \n \"C:\\\\Windows\\\\AppReadiness\\\\*\", \n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\ServiceProfiles\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\Web\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\assembly\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and process.args : (\"uxtheme.dll,#64\", \"PRINTUI.DLL,PrintUIEntry\"))\n", + "risk_score": 47, + "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d0e159cf-73e9-40d1-a9ed-077e3158a855.json b/packages/security_detection_engine/kibana/security_rule/rule-d0e159cf-73e9-40d1-a9ed-077e3158a855.json index a2f09b94616..8249b729e60 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d0e159cf-73e9-40d1-a9ed-077e3158a855.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d0e159cf-73e9-40d1-a9ed-077e3158a855.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Attackers may maintain persistence by creating registry keys using AppInit DLLs. AppInit DLLs are loaded by every process using the common library, user32.dll.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Registry Persistence via AppInit DLL", - "query": "registry where\n registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\", \n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\", \n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", - "risk_score": 47, - "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.010", - "name": "AppInit DLLs", - "reference": "https://attack.mitre.org/techniques/T1546/010/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Attackers may maintain persistence by creating registry keys using AppInit DLLs. AppInit DLLs are loaded by every process using the common library, user32.dll.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Registry Persistence via AppInit DLL", + "query": "registry where\n registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\", \n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\", \n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", + "risk_score": 47, + "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.010", + "name": "AppInit DLLs", + "reference": "https://attack.mitre.org/techniques/T1546/010/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d2053495-8fe7-4168-b3df-dad844046be3.json b/packages/security_detection_engine/kibana/security_rule/rule-d2053495-8fe7-4168-b3df-dad844046be3.json index fbaead0d68d..0e49c6d9d28 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d2053495-8fe7-4168-b3df-dad844046be3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d2053495-8fe7-4168-b3df-dad844046be3.json @@ -1,43 +1,47 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection.", - "false_positives": [ - "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PPTP (Point to Point Tunneling Protocol) Activity", - "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:1723", - "risk_score": 21, - "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection.", + "false_positives": [ + "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PPTP (Point to Point Tunneling Protocol) Activity", + "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:1723", + "risk_score": 21, + "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "d2053495-8fe7-4168-b3df-dad844046be3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d22a85c6-d2ad-4cc4-bf7b-54787473669a.json b/packages/security_detection_engine/kibana/security_rule/rule-d22a85c6-d2ad-4cc4-bf7b-54787473669a.json index 31c7589c638..b50291b64ad 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d22a85c6-d2ad-4cc4-bf7b-54787473669a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d22a85c6-d2ad-4cc4-bf7b-54787473669a.json @@ -1,33 +1,37 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Microsoft Office Sandbox Evasion", - "query": "event.category:file and not event.type:deletion and file.name:~$*.zip", - "references": [ - "https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf", - "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/", - "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c" - ], - "risk_score": 73, - "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Defense Evasion" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Microsoft Office Sandbox Evasion", + "query": "event.category:file and not event.type:deletion and file.name:~$*.zip", + "references": [ + "https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf", + "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/", + "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c" + ], + "risk_score": 73, + "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d31f183a-e5b1-451b-8534-ba62bca0b404.json b/packages/security_detection_engine/kibana/security_rule/rule-d31f183a-e5b1-451b-8534-ba62bca0b404.json index f2799ad798e..07b88c4d7d6 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d31f183a-e5b1-451b-8534-ba62bca0b404.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d31f183a-e5b1-451b-8534-ba62bca0b404.json @@ -1,80 +1,84 @@ { - "author": [ - "Elastic" - ], - "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Disabling User Account Control via Registry Modification", - "query": "registry where event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : \"0\"\n", - "references": [ - "https://www.greyhathacker.net/?p=796", - "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", - "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview" - ], - "risk_score": 47, - "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disabling User Account Control via Registry Modification", + "query": "registry where event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : \"0\"\n", + "references": [ + "https://www.greyhathacker.net/?p=796", + "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", + "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview" + ], + "risk_score": 47, + "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Access Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Access Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Access Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Access Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "d31f183a-e5b1-451b-8534-ba62bca0b404", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d331bbe2-6db4-4941-80a5-8270db72eb61.json b/packages/security_detection_engine/kibana/security_rule/rule-d331bbe2-6db4-4941-80a5-8270db72eb61.json index 052d2bb07eb..a78f80394e6 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d331bbe2-6db4-4941-80a5-8270db72eb61.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d331bbe2-6db4-4941-80a5-8270db72eb61.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Clearing Windows Event Logs", - "query": "event.category:process and event.type:(process_started or start) and (process.name:\"wevtutil.exe\" or process.pe.original_file_name:\"wevtutil.exe\") and process.args:(\"/e:false\" or cl or \"clear-log\") or process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\"", - "risk_score": 21, - "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Clearing Windows Event Logs", + "query": "event.category:process and event.type:(process_started or start) and (process.name:\"wevtutil.exe\" or process.pe.original_file_name:\"wevtutil.exe\") and process.args:(\"/e:false\" or cl or \"clear-log\") or process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\"", + "risk_score": 21, + "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "d331bbe2-6db4-4941-80a5-8270db72eb61", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d461fac0-43e8-49e2-85ea-3a58fe120b4f.json b/packages/security_detection_engine/kibana/security_rule/rule-d461fac0-43e8-49e2-85ea-3a58fe120b4f.json index 0d3e6b64fa3..6be7c8f8da2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d461fac0-43e8-49e2-85ea-3a58fe120b4f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d461fac0-43e8-49e2-85ea-3a58fe120b4f.json @@ -1,48 +1,52 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Shell Execution via Apple Scripting", - "query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.ppid\n", - "references": [ - "https://developer.apple.com/library/archive/technotes/tn2065/_index.html", - "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf" - ], - "risk_score": 47, - "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Shell Execution via Apple Scripting", + "query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.ppid\n", + "references": [ + "https://developer.apple.com/library/archive/technotes/tn2065/_index.html", + "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf" + ], + "risk_score": 47, + "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json b/packages/security_detection_engine/kibana/security_rule/rule-d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json index e81795d07ab..7e11e2797c9 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json @@ -1,36 +1,40 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Delete an Okta Application", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:application.lifecycle.delete", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 21, - "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", - "severity": "low", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Application", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:application.lifecycle.delete", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 21, + "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d49cc73f-7a16-4def-89ce-9fc7127d7820.json b/packages/security_detection_engine/kibana/security_rule/rule-d49cc73f-7a16-4def-89ce-9fc7127d7820.json index b799c0a9509..1afba2a7aa2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d49cc73f-7a16-4def-89ce-9fc7127d7820.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d49cc73f-7a16-4def-89ce-9fc7127d7820.json @@ -1,29 +1,33 @@ { - "author": [ - "Elastic" - ], - "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.", - "false_positives": [ - "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." - ], - "index": [ - "apm-*-transaction*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Web Application Suspicious Activity: sqlmap User Agent", - "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"", - "references": [ - "http://sqlmap.org/" - ], - "risk_score": 47, - "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", - "severity": "medium", - "tags": [ - "Elastic", - "APM" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.", + "false_positives": [ + "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." + ], + "index": [ + "apm-*-transaction*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Web Application Suspicious Activity: sqlmap User Agent", + "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"", + "references": [ + "http://sqlmap.org/" + ], + "risk_score": 47, + "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", + "severity": "medium", + "tags": [ + "Elastic", + "APM" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d4af3a06-1e0a-48ec-b96a-faf2309fae46.json b/packages/security_detection_engine/kibana/security_rule/rule-d4af3a06-1e0a-48ec-b96a-faf2309fae46.json index 5f6dc356a78..49dc50fa224 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d4af3a06-1e0a-48ec-b96a-faf2309fae46.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d4af3a06-1e0a-48ec-b96a-faf2309fae46.json @@ -1,44 +1,48 @@ { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", - "false_positives": [ - "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "linux_system_information_discovery", - "name": "Unusual Linux System Information Discovery Activity", - "risk_score": 21, - "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - } - ], - "type": "machine_learning", - "version": 2 + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "linux_system_information_discovery", + "name": "Unusual Linux System Information Discovery Activity", + "risk_score": 21, + "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "type": "machine_learning", + "version": 2 + }, + "id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d563aaba-2e72-462b-8658-3e5ea22db3a6.json b/packages/security_detection_engine/kibana/security_rule/rule-d563aaba-2e72-462b-8658-3e5ea22db3a6.json index c6947d67618..c59c803adc5 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d563aaba-2e72-462b-8658-3e5ea22db3a6.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d563aaba-2e72-462b-8658-3e5ea22db3a6.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Privilege Escalation via Windir Environment Variable", - "query": "registry where registry.path : (\"HKEY_USERS\\\\*\\\\Environment\\\\windir\", \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\") and \n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n", - "references": [ - "https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html" - ], - "risk_score": 73, - "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.007", - "name": "Path Interception by PATH Environment Variable", - "reference": "https://attack.mitre.org/techniques/T1574/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via Windir Environment Variable", + "query": "registry where registry.path : (\"HKEY_USERS\\\\*\\\\Environment\\\\windir\", \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\") and \n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n", + "references": [ + "https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html" + ], + "risk_score": 73, + "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.007", + "name": "Path Interception by PATH Environment Variable", + "reference": "https://attack.mitre.org/techniques/T1574/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json b/packages/security_detection_engine/kibana/security_rule/rule-d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json index bf399db8eef..159a5e00346 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json @@ -1,37 +1,41 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Delete an Okta Policy Rule", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:policy.rule.delete", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 21, - "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", - "severity": "low", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Policy Rule", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:policy.rule.delete", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 21, + "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc.json b/packages/security_detection_engine/kibana/security_rule/rule-d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc.json index 5a94f82e810..6741b949b5f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc.json @@ -1,89 +1,93 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Service Command Lateral Movement", - "query": "sequence by process.entity_id with maxspan = 1m\n [process where event.type in (\"start\", \"process_started\") and\n (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n process.args : (\"create\", \"config\", \"failure\", \"start\")]\n [network where process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", - "risk_score": 21, - "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Service Command Lateral Movement", + "query": "sequence by process.entity_id with maxspan = 1m\n [process where event.type in (\"start\", \"process_started\") and\n (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n process.args : (\"create\", \"config\", \"failure\", \"start\")]\n [network where process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", + "risk_score": 21, + "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1569", - "name": "System Services", - "reference": "https://attack.mitre.org/techniques/T1569/", - "subtechnique": [ - { - "id": "T1569.002", - "name": "Service Execution", - "reference": "https://attack.mitre.org/techniques/T1569/002/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 3 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1569", + "name": "System Services", + "reference": "https://attack.mitre.org/techniques/T1569/", + "subtechnique": [ + { + "id": "T1569.002", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1569/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json b/packages/security_detection_engine/kibana/security_rule/rule-d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json index 6912a1f208f..de9d852c743 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json @@ -1,77 +1,81 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.", - "false_positives": [ - "A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudWatch Log Stream Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", - "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html" - ], - "risk_score": 47, - "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.", + "false_positives": [ + "A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudWatch Log Stream Deletion", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", + "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html" + ], + "risk_score": 47, + "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] }, - "technique": [ - { - "id": "T1485", - "name": "Data Destruction", - "reference": "https://attack.mitre.org/techniques/T1485/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d62b64a8-a7c9-43e5-aee3-15a725a794e7.json b/packages/security_detection_engine/kibana/security_rule/rule-d62b64a8-a7c9-43e5-aee3-15a725a794e7.json index 6f841de3155..050c629f4b2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d62b64a8-a7c9-43e5-aee3-15a725a794e7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d62b64a8-a7c9-43e5-aee3-15a725a794e7.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.", - "false_positives": [ - "Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Pub/Sub Subscription Creation", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success", - "references": [ - "https://cloud.google.com/pubsub/docs/overview" - ], - "risk_score": 21, - "rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1530", - "name": "Data from Cloud Storage Object", - "reference": "https://attack.mitre.org/techniques/T1530/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.", + "false_positives": [ + "Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Pub/Sub Subscription Creation", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success", + "references": [ + "https://cloud.google.com/pubsub/docs/overview" + ], + "risk_score": 21, + "rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage Object", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d6450d4e-81c6-46a3-bd94-079886318ed5.json b/packages/security_detection_engine/kibana/security_rule/rule-d6450d4e-81c6-46a3-bd94-079886318ed5.json index d60a0892170..792e7ba586d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d6450d4e-81c6-46a3-bd94-079886318ed5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d6450d4e-81c6-46a3-bd94-079886318ed5.json @@ -1,33 +1,37 @@ { - "author": [ - "Elastic" - ], - "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.", - "false_positives": [ - "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Strace Process Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:strace", - "references": [ - "https://en.wikipedia.org/wiki/Strace" - ], - "risk_score": 21, - "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.", + "false_positives": [ + "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Strace Process Activity", + "query": "event.category:process and event.type:(start or process_started) and process.name:strace", + "references": [ + "https://en.wikipedia.org/wiki/Strace" + ], + "risk_score": 21, + "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "d6450d4e-81c6-46a3-bd94-079886318ed5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa.json b/packages/security_detection_engine/kibana/security_rule/rule-d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa.json index 4399f20d00d..aa11ccf66f1 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.", - "false_positives": [ - "An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", - "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide" - ], - "risk_score": 47, - "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.", + "false_positives": [ + "An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide" + ], + "risk_score": 47, + "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json b/packages/security_detection_engine/kibana/security_rule/rule-d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json index 9dfa4a42b7e..347b5cf7a2f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json @@ -1,57 +1,61 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Modification of WDigest Security Provider", - "query": "registry where event.type in (\"creation\", \"change\") and\n registry.path:\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\" and\n registry.data.strings:\"1\"\n", - "references": [ - "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", - "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019" - ], - "risk_score": 73, - "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Modification of WDigest Security Provider", + "query": "registry where event.type in (\"creation\", \"change\") and\n registry.path:\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\" and\n registry.data.strings:\"1\"\n", + "references": [ + "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", + "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019" + ], + "risk_score": 73, + "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d72e33fc-6e91-42ff-ac8b-e573268c5a87.json b/packages/security_detection_engine/kibana/security_rule/rule-d72e33fc-6e91-42ff-ac8b-e573268c5a87.json index e991ae21538..03b78d8a1da 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d72e33fc-6e91-42ff-ac8b-e573268c5a87.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d72e33fc-6e91-42ff-ac8b-e573268c5a87.json @@ -1,75 +1,79 @@ { - "author": [ - "Elastic" - ], - "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", - "false_positives": [ - "Trusted SolarWinds child processes. Verify process details such as network connections and file writes." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Command Execution via SolarWinds Process", - "query": "process where event.type in (\"start\", \"process_started\") and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", - "references": [ - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc" - ], - "risk_score": 47, - "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", + "false_positives": [ + "Trusted SolarWinds child processes. Verify process details such as network connections and file writes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Command Execution via SolarWinds Process", + "query": "process where event.type in (\"start\", \"process_started\") and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc" + ], + "risk_score": 47, + "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1195", - "name": "Supply Chain Compromise", - "reference": "https://attack.mitre.org/techniques/T1195/", - "subtechnique": [ - { - "id": "T1195.002", - "name": "Compromise Software Supply Chain", - "reference": "https://attack.mitre.org/techniques/T1195/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d743ff2a-203e-4a46-a3e3-40512cfe8fbb.json b/packages/security_detection_engine/kibana/security_rule/rule-d743ff2a-203e-4a46-a3e3-40512cfe8fbb.json index c7d3c5ddea6..defb21fd48c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d743ff2a-203e-4a46-a3e3-40512cfe8fbb.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d743ff2a-203e-4a46-a3e3-40512cfe8fbb.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.", - "false_positives": [ - "A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps" - ], - "risk_score": 47, - "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.", + "false_positives": [ + "A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Malware Filter Policy Deletion", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps" + ], + "risk_score": 47, + "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d75991f2-b989-419d-b797-ac1e54ec2d61.json b/packages/security_detection_engine/kibana/security_rule/rule-d75991f2-b989-419d-b797-ac1e54ec2d61.json index 6514495637d..9eec92e3092 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d75991f2-b989-419d-b797-ac1e54ec2d61.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d75991f2-b989-419d-b797-ac1e54ec2d61.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SystemKey Access via Command Line", - "query": "event.category:process and event.type:(start or process_started) and process.args:\"/private/var/db/SystemKey\"", - "references": [ - "https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py" - ], - "risk_score": 73, - "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.001", - "name": "Keychain", - "reference": "https://attack.mitre.org/techniques/T1555/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SystemKey Access via Command Line", + "query": "event.category:process and event.type:(start or process_started) and process.args:\"/private/var/db/SystemKey\"", + "references": [ + "https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py" + ], + "risk_score": 73, + "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "d75991f2-b989-419d-b797-ac1e54ec2d61", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d76b02ef-fc95-4001-9297-01cb7412232f.json b/packages/security_detection_engine/kibana/security_rule/rule-d76b02ef-fc95-4001-9297-01cb7412232f.json index 6fb0cfdb4c2..da1f30c2d50 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d76b02ef-fc95-4001-9297-01cb7412232f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d76b02ef-fc95-4001-9297-01cb7412232f.json @@ -1,45 +1,49 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Interactive Terminal Spawned via Python", - "query": "event.category:process and event.type:(start or process_started) and process.name:python and process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or \"import pty; pty.spawn(\\\"/bin/bash\\\")\")", - "risk_score": 73, - "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Interactive Terminal Spawned via Python", + "query": "event.category:process and event.type:(start or process_started) and process.name:python and process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or \"import pty; pty.spawn(\\\"/bin/bash\\\")\")", + "risk_score": 73, + "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "d76b02ef-fc95-4001-9297-01cb7412232f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d7e62693-aab9-4f66-a21a-3d79ecdd603d.json b/packages/security_detection_engine/kibana/security_rule/rule-d7e62693-aab9-4f66-a21a-3d79ecdd603d.json index 5507c0efb90..b2d6089f1a7 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d7e62693-aab9-4f66-a21a-3d79ecdd603d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d7e62693-aab9-4f66-a21a-3d79ecdd603d.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", - "false_positives": [ - "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SMTP on Port 26/TCP", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))", - "references": [ - "https://unit42.paloaltonetworks.com/unit42-badpatch/", - "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/" - ], - "risk_score": 21, - "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", + "false_positives": [ + "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SMTP on Port 26/TCP", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))", + "references": [ + "https://unit42.paloaltonetworks.com/unit42-badpatch/", + "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/" + ], + "risk_score": 21, + "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json b/packages/security_detection_engine/kibana/security_rule/rule-d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json index 47036c13349..5f4e67f991a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.", - "false_positives": [ - "A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Deactivation of MFA Device", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeactivateMFADevice and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html" - ], - "risk_score": 47, - "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.", + "false_positives": [ + "A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Deactivation of MFA Device", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:DeactivateMFADevice and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html" + ], + "risk_score": 47, + "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-dafa3235-76dc-40e2-9f71-1773b96d24cf.json b/packages/security_detection_engine/kibana/security_rule/rule-dafa3235-76dc-40e2-9f71-1773b96d24cf.json index 4c4bedbb0a9..b227a144ec7 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-dafa3235-76dc-40e2-9f71-1773b96d24cf.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-dafa3235-76dc-40e2-9f71-1773b96d24cf.json @@ -1,47 +1,51 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Multi-Factor Authentication Disabled for an Azure User", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:(Success or success)", - "risk_score": 47, - "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Multi-Factor Authentication Disabled for an Azure User", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:(Success or success)", + "risk_score": 47, + "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "dafa3235-76dc-40e2-9f71-1773b96d24cf", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-db8c33a8-03cd-4988-9e2c-d0a4863adb13.json b/packages/security_detection_engine/kibana/security_rule/rule-db8c33a8-03cd-4988-9e2c-d0a4863adb13.json index 3ed5df214d5..d71d06e5e8a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-db8c33a8-03cd-4988-9e2c-d0a4863adb13.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-db8c33a8-03cd-4988-9e2c-d0a4863adb13.json @@ -1,24 +1,28 @@ { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Credential Dumping - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)", - "risk_score": 47, - "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", - "severity": "medium", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Credential Dumping - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)", + "risk_score": 47, + "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 5 + }, + "id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-dc9c1f74-dac3-48e3-b47f-eb79db358f57.json b/packages/security_detection_engine/kibana/security_rule/rule-dc9c1f74-dac3-48e3-b47f-eb79db358f57.json index e0db8adf79a..d7a468be551 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-dc9c1f74-dac3-48e3-b47f-eb79db358f57.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-dc9c1f74-dac3-48e3-b47f-eb79db358f57.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Volume Shadow Copy Deletion via WMIC", - "query": "event.category:process and event.type:(start or process_started) and process.name:WMIC.exe and process.args:(delete and shadowcopy)", - "risk_score": 73, - "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.004", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1070/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Volume Shadow Copy Deletion via WMIC", + "query": "event.category:process and event.type:(start or process_started) and process.name:WMIC.exe and process.args:(delete and shadowcopy)", + "risk_score": 73, + "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-dca28dee-c999-400f-b640-50a081cc0fd1.json b/packages/security_detection_engine/kibana/security_rule/rule-dca28dee-c999-400f-b640-50a081cc0fd1.json index 3b483801870..fb32d73428f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-dca28dee-c999-400f-b640-50a081cc0fd1.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-dca28dee-c999-400f-b640-50a081cc0fd1.json @@ -1,30 +1,34 @@ { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography then the authorized user(s).", - "false_positives": [ - "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." - ], - "from": "now-60m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "rare_method_for_a_country", - "name": "Unusual Country For an AWS Command", - "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "ML" - ], - "type": "machine_learning", - "version": 3 + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography then the authorized user(s).", + "false_positives": [ + "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." + ], + "from": "now-60m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_method_for_a_country", + "name": "Unusual Country For an AWS Command", + "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "ML" + ], + "type": "machine_learning", + "version": 3 + }, + "id": "dca28dee-c999-400f-b640-50a081cc0fd1", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json b/packages/security_detection_engine/kibana/security_rule/rule-de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json index 2857e5ded21..b43796710b6 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Unusual Child Process from a System Virtual Process", - "query": "event.category:process and event.type:(start or process_started) and process.parent.pid:4 and not process.executable:(Registry or MemCompression or \"C:\\Windows\\System32\\smss.exe\")", - "risk_score": 73, - "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unusual Child Process from a System Virtual Process", + "query": "event.category:process and event.type:(start or process_started) and process.parent.pid:4 and not process.executable:(Registry or MemCompression or \"C:\\Windows\\System32\\smss.exe\")", + "risk_score": 73, + "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-debff20a-46bc-4a4d-bae5-5cdd14222795.json b/packages/security_detection_engine/kibana/security_rule/rule-debff20a-46bc-4a4d-bae5-5cdd14222795.json index 0b53e21810f..c04d6b7e382 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-debff20a-46bc-4a4d-bae5-5cdd14222795.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-debff20a-46bc-4a4d-bae5-5cdd14222795.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", - "false_positives": [ - "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Base16 or Base32 Encoding/Decoding Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:(base16 or base32 or base32plain or base32hex)", - "risk_score": 21, - "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", + "false_positives": [ + "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Base16 or Base32 Encoding/Decoding Activity", + "query": "event.category:process and event.type:(start or process_started) and process.name:(base16 or base32 or base32plain or base32hex)", + "risk_score": 21, + "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" }, - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "technique": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + }, + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "debff20a-46bc-4a4d-bae5-5cdd14222795", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-df197323-72a8-46a9-a08e-3f5b04a4a97a.json b/packages/security_detection_engine/kibana/security_rule/rule-df197323-72a8-46a9-a08e-3f5b04a4a97a.json index bbe1927b712..927ecd3b055 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-df197323-72a8-46a9-a08e-3f5b04a4a97a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-df197323-72a8-46a9-a08e-3f5b04a4a97a.json @@ -1,27 +1,31 @@ { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", - "false_positives": [ - "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "windows_rare_metadata_user", - "name": "Unusual Windows User Calling the Metadata Service", - "risk_score": 21, - "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "ML" - ], - "type": "machine_learning", - "version": 2 + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "false_positives": [ + "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "windows_rare_metadata_user", + "name": "Unusual Windows User Calling the Metadata Service", + "risk_score": 21, + "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML" + ], + "type": "machine_learning", + "version": 2 + }, + "id": "df197323-72a8-46a9-a08e-3f5b04a4a97a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-df26fd74-1baa-4479-b42e-48da84642330.json b/packages/security_detection_engine/kibana/security_rule/rule-df26fd74-1baa-4479-b42e-48da84642330.json index 6c9357311ab..3e5ff7e572b 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-df26fd74-1baa-4479-b42e-48da84642330.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-df26fd74-1baa-4479-b42e-48da84642330.json @@ -1,68 +1,72 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Automation Account Created", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE\" and event.outcome:(Success or success)", - "references": [ - "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", - "https://github.com/hausec/PowerZure", - "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", - "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" - ], - "risk_score": 21, - "rule_id": "df26fd74-1baa-4479-b42e-48da84642330", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Automation Account Created", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE\" and event.outcome:(Success or success)", + "references": [ + "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", + "https://github.com/hausec/PowerZure", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" + ], + "risk_score": 21, + "rule_id": "df26fd74-1baa-4479-b42e-48da84642330", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "df26fd74-1baa-4479-b42e-48da84642330", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-df959768-b0c9-4d45-988c-5606a2be8e5a.json b/packages/security_detection_engine/kibana/security_rule/rule-df959768-b0c9-4d45-988c-5606a2be8e5a.json index 98d5b2b0682..71252676768 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-df959768-b0c9-4d45-988c-5606a2be8e5a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-df959768-b0c9-4d45-988c-5606a2be8e5a.json @@ -1,30 +1,34 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.", - "false_positives": [ - "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Unusual Process Execution - Temp", - "query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp", - "risk_score": 47, - "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.", + "false_positives": [ + "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unusual Process Execution - Temp", + "query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp", + "risk_score": 47, + "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "df959768-b0c9-4d45-988c-5606a2be8e5a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e02bd3ea-72c6-4181-ac2b-0f83d17ad969.json b/packages/security_detection_engine/kibana/security_rule/rule-e02bd3ea-72c6-4181-ac2b-0f83d17ad969.json index a82f3be3f3d..f2829589b07 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e02bd3ea-72c6-4181-ac2b-0f83d17ad969.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e02bd3ea-72c6-4181-ac2b-0f83d17ad969.json @@ -1,60 +1,64 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.", - "false_positives": [ - "Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Firewall Policy Deletion", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)", - "references": [ - "https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview" - ], - "risk_score": 21, - "rule_id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Network Security" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.", + "false_positives": [ + "Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Firewall Policy Deletion", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)", + "references": [ + "https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview" + ], + "risk_score": 21, + "rule_id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e08ccd49-0380-4b2b-8d71-8000377d6e49.json b/packages/security_detection_engine/kibana/security_rule/rule-e08ccd49-0380-4b2b-8d71-8000377d6e49.json index 1b2d6af728e..9619f177ce6 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e08ccd49-0380-4b2b-8d71-8000377d6e49.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e08ccd49-0380-4b2b-8d71-8000377d6e49.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.", - "from": "now-180m", - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempts to Brute Force an Okta User Account", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:user.account.lock", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 47, - "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", - "severity": "medium", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "threshold": { - "field": [ - "okta.actor.id" + "attributes": { + "author": [ + "Elastic" ], - "value": 3 + "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.", + "from": "now-180m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempts to Brute Force an Okta User Account", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:user.account.lock", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 47, + "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "okta.actor.id" + ], + "value": 3 + }, + "type": "threshold", + "version": 3 }, - "type": "threshold", - "version": 3 + "id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e0f36de1-0342-453d-95a9-a068b257b053.json b/packages/security_detection_engine/kibana/security_rule/rule-e0f36de1-0342-453d-95a9-a068b257b053.json index 30d7465c041..46ad4a113a4 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e0f36de1-0342-453d-95a9-a068b257b053.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e0f36de1-0342-453d-95a9-a068b257b053.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.", - "false_positives": [ - "Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Event Hub Deletion", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE\" and event.outcome:(Success or success)", - "references": [ - "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about", - "https://azure.microsoft.com/en-in/services/event-hubs/", - "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features" - ], - "risk_score": 47, - "rule_id": "e0f36de1-0342-453d-95a9-a068b257b053", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Log Auditing" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.", + "false_positives": [ + "Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Event Hub Deletion", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE\" and event.outcome:(Success or success)", + "references": [ + "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about", + "https://azure.microsoft.com/en-in/services/event-hubs/", + "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features" + ], + "risk_score": 47, + "rule_id": "e0f36de1-0342-453d-95a9-a068b257b053", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "e0f36de1-0342-453d-95a9-a068b257b053", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d.json b/packages/security_detection_engine/kibana/security_rule/rule-e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d.json index 07c252a8427..f29a3bf3fc5 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d.json @@ -1,66 +1,70 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.", - "false_positives": [ - "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS RDS Cluster Creation", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:(CreateDBCluster or CreateGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html" - ], - "risk_score": 21, - "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Asset Visibility" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.", + "false_positives": [ + "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Cluster Creation", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:(CreateDBCluster or CreateGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html" + ], + "risk_score": 21, + "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] }, - "technique": [ - { - "id": "T1133", - "name": "External Remote Services", - "reference": "https://attack.mitre.org/techniques/T1133/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e19e64ee-130e-4c07-961f-8a339f0b8362.json b/packages/security_detection_engine/kibana/security_rule/rule-e19e64ee-130e-4c07-961f-8a339f0b8362.json index 951356905d9..c2962c967fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e19e64ee-130e-4c07-961f-8a339f0b8362.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e19e64ee-130e-4c07-961f-8a339f0b8362.json @@ -1,47 +1,51 @@ { - "author": [ - "Elastic" - ], - "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.", - "false_positives": [ - "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Connection to External Network via Telnet", - "query": "sequence by process.entity_id\n [process where process.name == \"telnet\" and event.type == \"start\"]\n [network where process.name == \"telnet\" and\n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"10.0.0.0/8\", \"172.16.0.0/12\",\n \"192.168.0.0/16\", \"FE80::/10\", \"::1/128\")]\n", - "risk_score": 47, - "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "eql", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.", + "false_positives": [ + "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to External Network via Telnet", + "query": "sequence by process.entity_id\n [process where process.name == \"telnet\" and event.type == \"start\"]\n [network where process.name == \"telnet\" and\n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"10.0.0.0/8\", \"172.16.0.0/12\",\n \"192.168.0.0/16\", \"FE80::/10\", \"::1/128\")]\n", + "risk_score": 47, + "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "e19e64ee-130e-4c07-961f-8a339f0b8362", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e2a67480-3b79-403d-96e3-fdd2992c50ef.json b/packages/security_detection_engine/kibana/security_rule/rule-e2a67480-3b79-403d-96e3-fdd2992c50ef.json index d9967ff792c..6e240fa40a9 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e2a67480-3b79-403d-96e3-fdd2992c50ef.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e2a67480-3b79-403d-96e3-fdd2992c50ef.json @@ -1,69 +1,73 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a successful login to the AWS Management Console by the Root user.", - "false_positives": [ - "It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Management Console Root Login", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:ConsoleLogin and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and aws.cloudtrail.user_identity.type:Root and event.outcome:success", - "references": [ - "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" - ], - "risk_score": 73, - "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef", - "severity": "high", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a successful login to the AWS Management Console by the Root user.", + "false_positives": [ + "It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Management Console Root Login", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:ConsoleLogin and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and aws.cloudtrail.user_identity.type:Root and event.outcome:success", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" + ], + "risk_score": 73, + "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "e2a67480-3b79-403d-96e3-fdd2992c50ef", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json b/packages/security_detection_engine/kibana/security_rule/rule-e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json index 59784a5d5bc..ee63991ef88 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Process Execution via Renamed PsExec Executable", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", - "risk_score": 47, - "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1569", - "name": "System Services", - "reference": "https://attack.mitre.org/techniques/T1569/", - "subtechnique": [ - { - "id": "T1569.002", - "name": "Service Execution", - "reference": "https://attack.mitre.org/techniques/T1569/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Execution via Renamed PsExec Executable", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", + "risk_score": 47, + "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1569", + "name": "System Services", + "reference": "https://attack.mitre.org/techniques/T1569/", + "subtechnique": [ + { + "id": "T1569.002", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1569/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e2fb5b18-e33c-4270-851e-c3d675c9afcd.json b/packages/security_detection_engine/kibana/security_rule/rule-e2fb5b18-e33c-4270-851e-c3d675c9afcd.json index 80ff6e6c942..c70905c6a97 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e2fb5b18-e33c-4270-851e-c3d675c9afcd.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e2fb5b18-e33c-4270-851e-c3d675c9afcd.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.", - "false_positives": [ - "Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP IAM Role Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success", - "references": [ - "https://cloud.google.com/iam/docs/understanding-roles" - ], - "risk_score": 21, - "rule_id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.", + "false_positives": [ + "Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP IAM Role Deletion", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success", + "references": [ + "https://cloud.google.com/iam/docs/understanding-roles" + ], + "risk_score": 21, + "rule_id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e3343ab9-4245-4715-b344-e11c56b0a47f.json b/packages/security_detection_engine/kibana/security_rule/rule-e3343ab9-4245-4715-b344-e11c56b0a47f.json index 99bb288e939..2709b9530d8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e3343ab9-4245-4715-b344-e11c56b0a47f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e3343ab9-4245-4715-b344-e11c56b0a47f.json @@ -1,65 +1,69 @@ { - "author": [ - "Elastic" - ], - "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", - "false_positives": [ - "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Process Activity via Compiled HTML File", - "query": "event.category:process and event.type:(start or process_started) and process.name:hh.exe", - "risk_score": 21, - "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", + "false_positives": [ + "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Process Activity via Compiled HTML File", + "query": "event.category:process and event.type:(start or process_started) and process.name:hh.exe", + "risk_score": 21, + "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "Signed Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.001", - "name": "Compiled HTML File", - "reference": "https://attack.mitre.org/techniques/T1218/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.001", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1218/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "e3343ab9-4245-4715-b344-e11c56b0a47f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e3c5d5cb-41d5-4206-805c-f30561eae3ac.json b/packages/security_detection_engine/kibana/security_rule/rule-e3c5d5cb-41d5-4206-805c-f30561eae3ac.json index 5bbf6abe055..7c1241d7ceb 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e3c5d5cb-41d5-4206-805c-f30561eae3ac.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e3c5d5cb-41d5-4206-805c-f30561eae3ac.json @@ -1,24 +1,28 @@ { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented Ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Ransomware - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)", - "risk_score": 73, - "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", - "severity": "high", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Ransomware - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)", + "risk_score": 73, + "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 5 + }, + "id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e3cf38fa-d5b8-46cc-87f9-4a7513e4281d.json b/packages/security_detection_engine/kibana/security_rule/rule-e3cf38fa-d5b8-46cc-87f9-4a7513e4281d.json index 4874aa5a384..7d10fd3cc9a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e3cf38fa-d5b8-46cc-87f9-4a7513e4281d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e3cf38fa-d5b8-46cc-87f9-4a7513e4281d.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Connection to Commonly Abused Free SSL Certificate Providers", - "query": "network where network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n \n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n \n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n", - "risk_score": 21, - "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1573", - "name": "Encrypted Channel", - "reference": "https://attack.mitre.org/techniques/T1573/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to Commonly Abused Free SSL Certificate Providers", + "query": "network where network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n \n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n \n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n", + "risk_score": 21, + "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1573", + "name": "Encrypted Channel", + "reference": "https://attack.mitre.org/techniques/T1573/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e3e904b3-0a8e-4e68-86a8-977a163e21d3.json b/packages/security_detection_engine/kibana/security_rule/rule-e3e904b3-0a8e-4e68-86a8-977a163e21d3.json index d7ba41880ae..cb0d5e3ced8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e3e904b3-0a8e-4e68-86a8-977a163e21d3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e3e904b3-0a8e-4e68-86a8-977a163e21d3.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "query": "file where event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n )\n", - "references": [ - "https://userbase.kde.org/System_Settings/Autostart", - "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", - "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/" - ], - "risk_score": 47, - "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via KDE AutoStart Script or Desktop File Modification", + "query": "file where event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n )\n", + "references": [ + "https://userbase.kde.org/System_Settings/Autostart", + "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/" + ], + "risk_score": 47, + "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json b/packages/security_detection_engine/kibana/security_rule/rule-e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json index fd4f2902c6b..6cf3a938483 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json @@ -1,37 +1,41 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Modify an Okta Network Zone", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 47, - "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", - "severity": "medium", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Network Security" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Network Zone", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 47, + "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e555105c-ba6d-481f-82bb-9b633e7b4827.json b/packages/security_detection_engine/kibana/security_rule/rule-e555105c-ba6d-481f-82bb-9b633e7b4827.json index 567c7cfb038..12c64caa801 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e555105c-ba6d-481f-82bb-9b633e7b4827.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e555105c-ba6d-481f-82bb-9b633e7b4827.json @@ -1,34 +1,38 @@ { - "author": [ - "Elastic" - ], - "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", - "false_positives": [ - "MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "MFA Disabled for Google Workspace Organization", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", - "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and gsuite.admin.new_value:false", - "risk_score": 47, - "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", + "false_positives": [ + "MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "MFA Disabled for Google Workspace Organization", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and gsuite.admin.new_value:false", + "risk_score": 47, + "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "e555105c-ba6d-481f-82bb-9b633e7b4827", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e56993d2-759c-4120-984c-9ec9bb940fd5.json b/packages/security_detection_engine/kibana/security_rule/rule-e56993d2-759c-4120-984c-9ec9bb940fd5.json index 12b6128596e..76522119e7c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e56993d2-759c-4120-984c-9ec9bb940fd5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e56993d2-759c-4120-984c-9ec9bb940fd5.json @@ -1,64 +1,68 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of RDP traffic to the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "RDP (Remote Desktop Protocol) to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", - "risk_score": 21, - "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of RDP traffic to the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "RDP (Remote Desktop Protocol) to the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )", + "risk_score": 21, + "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "e56993d2-759c-4120-984c-9ec9bb940fd5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e6c1a552-7776-44ad-ae0f-8746cc07773c.json b/packages/security_detection_engine/kibana/security_rule/rule-e6c1a552-7776-44ad-ae0f-8746cc07773c.json index a9bb6be68c3..9bca9ac1255 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e6c1a552-7776-44ad-ae0f-8746cc07773c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e6c1a552-7776-44ad-ae0f-8746cc07773c.json @@ -1,59 +1,63 @@ { - "author": [ - "Elastic" - ], - "description": "Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user\u2019s shell.", - "false_positives": [ - "Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "auditbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Bash Shell Profile Modification", - "query": "event.category:file and event.type:change and process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or launchctl or java)) and not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and file.path:(/private/etc/rc.local or /etc/rc.local or /home/*/.profile or /home/*/.profile1 or /home/*/.bash_profile or /home/*/.bash_profile1 or /home/*/.bashrc or /Users/*/.bash_profile or /Users/*/.zshenv)", - "references": [ - "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" - ], - "risk_score": 47, - "rule_id": "e6c1a552-7776-44ad-ae0f-8746cc07773c", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Linux", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.004", - "name": ".bash_profile and .bashrc", - "reference": "https://attack.mitre.org/techniques/T1546/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user\u2019s shell.", + "false_positives": [ + "Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Bash Shell Profile Modification", + "query": "event.category:file and event.type:change and process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or launchctl or java)) and not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and file.path:(/private/etc/rc.local or /etc/rc.local or /home/*/.profile or /home/*/.profile1 or /home/*/.bash_profile or /home/*/.bash_profile1 or /home/*/.bashrc or /Users/*/.bash_profile or /Users/*/.zshenv)", + "references": [ + "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" + ], + "risk_score": 47, + "rule_id": "e6c1a552-7776-44ad-ae0f-8746cc07773c", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Linux", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.004", + "name": ".bash_profile and .bashrc", + "reference": "https://attack.mitre.org/techniques/T1546/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "e6c1a552-7776-44ad-ae0f-8746cc07773c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e6c98d38-633d-4b3e-9387-42112cd5ac10.json b/packages/security_detection_engine/kibana/security_rule/rule-e6c98d38-633d-4b3e-9387-42112cd5ac10.json index 6d4799c9658..e3e2a3558ec 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e6c98d38-633d-4b3e-9387-42112cd5ac10.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e6c98d38-633d-4b3e-9387-42112cd5ac10.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Authorization Plugin Modification", - "query": "event.category:file and not event.type:deletion and file.path:(/Library/Security/SecurityAgentPlugins/* and not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/Contents/*)", - "references": [ - "https://developer.apple.com/documentation/security/authorization_plug-ins", - "https://www.xorrior.com/persistent-credential-theft/" - ], - "risk_score": 47, - "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.002", - "name": "Authentication Package", - "reference": "https://attack.mitre.org/techniques/T1547/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Authorization Plugin Modification", + "query": "event.category:file and not event.type:deletion and file.path:(/Library/Security/SecurityAgentPlugins/* and not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/Contents/*)", + "references": [ + "https://developer.apple.com/documentation/security/authorization_plug-ins", + "https://www.xorrior.com/persistent-credential-theft/" + ], + "risk_score": 47, + "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.002", + "name": "Authentication Package", + "reference": "https://attack.mitre.org/techniques/T1547/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e6e3ecff-03dd-48ec-acbd-54a04de10c68.json b/packages/security_detection_engine/kibana/security_rule/rule-e6e3ecff-03dd-48ec-acbd-54a04de10c68.json index d8e143b3a5d..dce691f4d3e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e6e3ecff-03dd-48ec-acbd-54a04de10c68.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e6e3ecff-03dd-48ec-acbd-54a04de10c68.json @@ -1,55 +1,59 @@ { - "author": [ - "Elastic" - ], - "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.", - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Possible Okta DoS Attack", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 47, - "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", - "severity": "medium", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1498", - "name": "Network Denial of Service", - "reference": "https://attack.mitre.org/techniques/T1498/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Possible Okta DoS Attack", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 47, + "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" }, - { - "id": "T1499", - "name": "Endpoint Denial of Service", - "reference": "https://attack.mitre.org/techniques/T1499/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "technique": [ + { + "id": "T1498", + "name": "Network Denial of Service", + "reference": "https://attack.mitre.org/techniques/T1498/" + }, + { + "id": "T1499", + "name": "Endpoint Denial of Service", + "reference": "https://attack.mitre.org/techniques/T1499/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e7075e8d-a966-458e-a183-85cd331af255.json b/packages/security_detection_engine/kibana/security_rule/rule-e7075e8d-a966-458e-a183-85cd331af255.json index bfb0f08aa30..42e3f824c1e 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e7075e8d-a966-458e-a183-85cd331af255.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e7075e8d-a966-458e-a183-85cd331af255.json @@ -1,59 +1,63 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. If using Filebeat, this rule requires the Suricata or Zeek modules. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1) - see the Reference section for additional information on module configuration.", - "index": [ - "filebeat-*", - "packetbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Default Cobalt Strike Team Server Certificate", - "note": "While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly.", - "query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)", - "references": [ - "https://attack.mitre.org/software/S0154/", - "https://www.cobaltstrike.com/help-setup-collaboration", - "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html", - "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html", - "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html" - ], - "risk_score": 99, - "rule_id": "e7075e8d-a966-458e-a183-85cd331af255", - "severity": "critical", - "tags": [ - "Command and Control", - "Post-Execution", - "Threat Detection", - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/", - "subtechnique": [ - { - "id": "T1071.001", - "name": "Web Protocols", - "reference": "https://attack.mitre.org/techniques/T1071/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. If using Filebeat, this rule requires the Suricata or Zeek modules. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1) - see the Reference section for additional information on module configuration.", + "index": [ + "filebeat-*", + "packetbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Default Cobalt Strike Team Server Certificate", + "note": "While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly.", + "query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)", + "references": [ + "https://attack.mitre.org/software/S0154/", + "https://www.cobaltstrike.com/help-setup-collaboration", + "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html", + "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html", + "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html" + ], + "risk_score": 99, + "rule_id": "e7075e8d-a966-458e-a183-85cd331af255", + "severity": "critical", + "tags": [ + "Command and Control", + "Post-Execution", + "Threat Detection", + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "e7075e8d-a966-458e-a183-85cd331af255", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e7125cea-9fe1-42a5-9a05-b0792cf86f5a.json b/packages/security_detection_engine/kibana/security_rule/rule-e7125cea-9fe1-42a5-9a05-b0792cf86f5a.json index 48e9272fbd5..3acd256443d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e7125cea-9fe1-42a5-9a05-b0792cf86f5a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e7125cea-9fe1-42a5-9a05-b0792cf86f5a.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Execution of Persistent Suspicious Program", - "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n [process where event.type in (\"start\", \"process_started\") and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n [process where event.type in (\"start\", \"process_started\") and process.name : \"explorer.exe\"]\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"explorer.exe\" and\n /* add suspicious programs here */\n process.pe.original_file_name in (\"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"RegAsm.exe\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\") and\n /* add potential suspicious paths here */\n process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n ]\n", - "risk_score": 47, - "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 2 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of Persistent Suspicious Program", + "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n [process where event.type in (\"start\", \"process_started\") and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n [process where event.type in (\"start\", \"process_started\") and process.name : \"explorer.exe\"]\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"explorer.exe\" and\n /* add suspicious programs here */\n process.pe.original_file_name in (\"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"RegAsm.exe\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\") and\n /* add potential suspicious paths here */\n process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n ]\n", + "risk_score": 47, + "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e8571d5f-bea1-46c2-9f56-998de2d3ed95.json b/packages/security_detection_engine/kibana/security_rule/rule-e8571d5f-bea1-46c2-9f56-998de2d3ed95.json index eb643293ceb..e2b8529f39d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e8571d5f-bea1-46c2-9f56-998de2d3ed95.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e8571d5f-bea1-46c2-9f56-998de2d3ed95.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Local Service Commands", - "query": "event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)", - "risk_score": 21, - "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Local Service Commands", + "query": "event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)", + "risk_score": 21, + "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e86da94d-e54b-4fb5-b96c-cecff87e8787.json b/packages/security_detection_engine/kibana/security_rule/rule-e86da94d-e54b-4fb5-b96c-cecff87e8787.json index f4f22f3a46d..b45563fbe0a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e86da94d-e54b-4fb5-b96c-cecff87e8787.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e86da94d-e54b-4fb5-b96c-cecff87e8787.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Installation of Security Support Provider", - "query": "registry where\n registry.path : (\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages*\", \n \"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", - "risk_score": 47, - "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.005", - "name": "Security Support Provider", - "reference": "https://attack.mitre.org/techniques/T1547/005/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Installation of Security Support Provider", + "query": "registry where\n registry.path : (\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages*\", \n \"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", + "risk_score": 47, + "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.005", + "name": "Security Support Provider", + "reference": "https://attack.mitre.org/techniques/T1547/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e90ee3af-45fc-432e-a850-4a58cf14a457.json b/packages/security_detection_engine/kibana/security_rule/rule-e90ee3af-45fc-432e-a850-4a58cf14a457.json index 601fd02d58b..d2821584578 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e90ee3af-45fc-432e-a850-4a58cf14a457.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e90ee3af-45fc-432e-a850-4a58cf14a457.json @@ -1,89 +1,93 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", - "false_positives": [ - "The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "High Number of Okta User Password Reset or Unlock Attempts", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or system.sms.send_account_unlock_message or system.sms.send_password_reset_message or system.voice.send_account_unlock_call or system.voice.send_password_reset_call or user.account.unlock_token)", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 47, - "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", - "severity": "medium", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", + "false_positives": [ + "The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "High Number of Okta User Password Reset or Unlock Attempts", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or system.sms.send_account_unlock_message or system.sms.send_password_reset_message or system.voice.send_account_unlock_call or system.voice.send_password_reset_call or user.account.unlock_token)", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 47, + "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "threshold": { - "field": [ - "okta.actor.id" + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } ], - "value": 5 + "threshold": { + "field": [ + "okta.actor.id" + ], + "value": 5 + }, + "type": "threshold", + "version": 3 }, - "type": "threshold", - "version": 3 + "id": "e90ee3af-45fc-432e-a850-4a58cf14a457", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e94262f2-c1e9-4d3f-a907-aeab16712e1a.json b/packages/security_detection_engine/kibana/security_rule/rule-e94262f2-c1e9-4d3f-a907-aeab16712e1a.json index b5a3eb738f2..c9181e5a4a6 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e94262f2-c1e9-4d3f-a907-aeab16712e1a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e94262f2-c1e9-4d3f-a907-aeab16712e1a.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Unusual Executable File Creation by a System Critical Process", - "query": "event.category:file and not event.type:deletion and file.extension:(exe or dll) and process.name:(smss.exe or autochk.exe or csrss.exe or wininit.exe or services.exe or lsass.exe or winlogon.exe or userinit.exe or LogonUI.exe)", - "risk_score": 73, - "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1211", - "name": "Exploitation for Defense Evasion", - "reference": "https://attack.mitre.org/techniques/T1211/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unusual Executable File Creation by a System Critical Process", + "query": "event.category:file and not event.type:deletion and file.extension:(exe or dll) and process.name:(smss.exe or autochk.exe or csrss.exe or wininit.exe or services.exe or lsass.exe or winlogon.exe or userinit.exe or LogonUI.exe)", + "risk_score": 73, + "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1211", + "name": "Exploitation for Defense Evasion", + "reference": "https://attack.mitre.org/techniques/T1211/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb.json b/packages/security_detection_engine/kibana/security_rule/rule-e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb.json index 30a1934924f..5b861f4609f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb.json @@ -1,75 +1,79 @@ { - "author": [ - "Elastic" - ], - "description": "Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential LSA Authentication Package Abuse", - "query": "registry where event.type == \"change\" and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", - "risk_score": 47, - "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential LSA Authentication Package Abuse", + "query": "registry where event.type == \"change\" and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "risk_score": 47, + "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.002", + "name": "Authentication Package", + "reference": "https://attack.mitre.org/techniques/T1547/002/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.002", - "name": "Authentication Package", - "reference": "https://attack.mitre.org/techniques/T1547/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.002", - "name": "Authentication Package", - "reference": "https://attack.mitre.org/techniques/T1547/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.002", + "name": "Authentication Package", + "reference": "https://attack.mitre.org/techniques/T1547/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62.json b/packages/security_detection_engine/kibana/security_rule/rule-e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62.json index a8d5b70b1d6..91d925b0b1d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62.json @@ -1,37 +1,41 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Automation Webhook Created", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name: ( \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION\" or \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE\" ) and event.outcome:(Success or success)", - "references": [ - "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", - "https://github.com/hausec/PowerZure", - "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", - "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/" - ], - "risk_score": 21, - "rule_id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "to": "now-25m", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Automation Webhook Created", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name: ( \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION\" or \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE\" ) and event.outcome:(Success or success)", + "references": [ + "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", + "https://github.com/hausec/PowerZure", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/" + ], + "risk_score": 21, + "rule_id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "timestamp_override": "event.ingested", + "to": "now-25m", + "type": "query", + "version": 4 + }, + "id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ea0784f0-a4d7-4fea-ae86-4baaf27a6f17.json b/packages/security_detection_engine/kibana/security_rule/rule-ea0784f0-a4d7-4fea-ae86-4baaf27a6f17.json index 003d719f098..b00147df92c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ea0784f0-a4d7-4fea-ae86-4baaf27a6f17.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ea0784f0-a4d7-4fea-ae86-4baaf27a6f17.json @@ -1,73 +1,77 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SSH (Secure Shell) from the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )", - "risk_score": 47, - "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SSH (Secure Shell) from the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )", + "risk_score": 47, + "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ea248a02-bc47-4043-8e94-2885b19b2636.json b/packages/security_detection_engine/kibana/security_rule/rule-ea248a02-bc47-4043-8e94-2885b19b2636.json index 577ec67a423..d2edcddd9b1 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ea248a02-bc47-4043-8e94-2885b19b2636.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ea248a02-bc47-4043-8e94-2885b19b2636.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.", - "from": "now-20m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Brute Force of Assume Role Policy", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure", - "references": [ - "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities", - "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/" - ], - "risk_score": 47, - "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "threshold": { - "field": [ - "" + "attributes": { + "author": [ + "Elastic" ], - "value": 25 + "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.", + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Brute Force of Assume Role Policy", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure", + "references": [ + "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities", + "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/" + ], + "risk_score": 47, + "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "" + ], + "value": 25 + }, + "type": "threshold", + "version": 3 }, - "type": "threshold", - "version": 3 + "id": "ea248a02-bc47-4043-8e94-2885b19b2636", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-eb079c62-4481-4d6e-9643-3ca499df7aaa.json b/packages/security_detection_engine/kibana/security_rule/rule-eb079c62-4481-4d6e-9643-3ca499df7aaa.json index d175e79ad3e..546f4f219d9 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-eb079c62-4481-4d6e-9643-3ca499df7aaa.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-eb079c62-4481-4d6e-9643-3ca499df7aaa.json @@ -1,67 +1,71 @@ { - "author": [ - "Elastic" - ], - "description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "External Alerts", - "query": "event.kind:alert and not event.module:(endgame or endpoint)", - "risk_score": 47, - "risk_score_mapping": [ - { - "field": "event.risk_score", - "operator": "equals", - "value": "" - } - ], - "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa", - "rule_name_override": "message", - "severity": "medium", - "severity_mapping": [ - { - "field": "event.severity", - "operator": "equals", - "severity": "low", - "value": "21" - }, - { - "field": "event.severity", - "operator": "equals", - "severity": "medium", - "value": "47" - }, - { - "field": "event.severity", - "operator": "equals", - "severity": "high", - "value": "73" - }, - { - "field": "event.severity", - "operator": "equals", - "severity": "critical", - "value": "99" - } - ], - "tags": [ - "Elastic", - "Network", - "Windows", - "APM", - "macOS", - "Linux" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "External Alerts", + "query": "event.kind:alert and not event.module:(endgame or endpoint)", + "risk_score": 47, + "risk_score_mapping": [ + { + "field": "event.risk_score", + "operator": "equals", + "value": "" + } + ], + "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa", + "rule_name_override": "message", + "severity": "medium", + "severity_mapping": [ + { + "field": "event.severity", + "operator": "equals", + "severity": "low", + "value": "21" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "medium", + "value": "47" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "high", + "value": "73" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "critical", + "value": "99" + } + ], + "tags": [ + "Elastic", + "Network", + "Windows", + "APM", + "macOS", + "Linux" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "eb079c62-4481-4d6e-9643-3ca499df7aaa", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-eb9eb8ba-a983-41d9-9c93-a1c05112ca5e.json b/packages/security_detection_engine/kibana/security_rule/rule-eb9eb8ba-a983-41d9-9c93-a1c05112ca5e.json index 64bf5c5475d..d49357e1de3 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-eb9eb8ba-a983-41d9-9c93-a1c05112ca5e.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-eb9eb8ba-a983-41d9-9c93-a1c05112ca5e.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Disabling of SELinux", - "query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0", - "risk_score": 47, - "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Disabling of SELinux", + "query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0", + "risk_score": 47, + "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json b/packages/security_detection_engine/kibana/security_rule/rule-ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json index f0198303ea6..21a439e5911 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the password log file from the default Mimikatz memssp module.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Mimikatz Memssp Log File Detected", - "query": "event.category:file and file.name:mimilsa.log and process.name:lsass.exe", - "risk_score": 73, - "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the password log file from the default Mimikatz memssp module.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Mimikatz Memssp Log File Detected", + "query": "event.category:file and file.name:mimilsa.log and process.name:lsass.exe", + "risk_score": 73, + "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json b/packages/security_detection_engine/kibana/security_rule/rule-ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json index 132795ba031..40d0bb92cf0 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json @@ -1,47 +1,51 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 33, - "name": "IIS HTTP Logging Disabled", - "query": "event.category:process and event.type:(start or process_started) and (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe) and process.args:/dontLog\\:\\\"True\\\" and not process.parent.name:iissetup.exe", - "risk_score": 73, - "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 33, + "name": "IIS HTTP Logging Disabled", + "query": "event.category:process and event.type:(start or process_started) and (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe) and process.args:/dontLog\\:\\\"True\\\" and not process.parent.name:iissetup.exe", + "risk_score": 73, + "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ebfe1448-7fac-4d59-acea-181bd89b1f7f.json b/packages/security_detection_engine/kibana/security_rule/rule-ebfe1448-7fac-4d59-acea-181bd89b1f7f.json index c3304a5b0a7..e9a5557cb65 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ebfe1448-7fac-4d59-acea-181bd89b1f7f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ebfe1448-7fac-4d59-acea-181bd89b1f7f.json @@ -1,29 +1,33 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Process Execution from an Unusual Directory", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Users\\\\Default\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\twain_32\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", - "risk_score": 47, - "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Execution from an Unusual Directory", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Users\\\\Default\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\twain_32\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", + "risk_score": 47, + "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d.json b/packages/security_detection_engine/kibana/security_rule/rule-ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d.json index f1e4d5dd4a2..4eb8df2618d 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d.json @@ -1,57 +1,61 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.", - "false_positives": [ - "Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS RDS Instance/Cluster Stoppage", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:(StopDBCluster or StopDBInstance) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html" - ], - "risk_score": 47, - "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Asset Visibility" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1489", - "name": "Service Stop", - "reference": "https://attack.mitre.org/techniques/T1489/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.", + "false_positives": [ + "Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Instance/Cluster Stoppage", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:(StopDBCluster or StopDBInstance) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html" + ], + "risk_score": 47, + "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ed9ecd27-e3e6-4fd9-8586-7754803f7fc8.json b/packages/security_detection_engine/kibana/security_rule/rule-ed9ecd27-e3e6-4fd9-8586-7754803f7fc8.json index d708e00f591..0cba04a5c13 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ed9ecd27-e3e6-4fd9-8586-7754803f7fc8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ed9ecd27-e3e6-4fd9-8586-7754803f7fc8.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.", - "false_positives": [ - "Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Global Administrator Role Addition to PIM User", - "note": "The Azure Filebeat module must be enabled to use this rule.", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or \"Add member to role in PIM completed (timebound)\") and azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and event.outcome:(Success or success)", - "references": [ - "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles" - ], - "risk_score": 73, - "rule_id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8", - "severity": "high", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.", + "false_positives": [ + "Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Global Administrator Role Addition to PIM User", + "note": "The Azure Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or \"Add member to role in PIM completed (timebound)\") and azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and event.outcome:(Success or success)", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles" + ], + "risk_score": 73, + "rule_id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-eda499b8-a073-4e35-9733-22ec71f57f3a.json b/packages/security_detection_engine/kibana/security_rule/rule-eda499b8-a073-4e35-9733-22ec71f57f3a.json index 1802ee33c75..3a6ce572607 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-eda499b8-a073-4e35-9733-22ec71f57f3a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-eda499b8-a073-4e35-9733-22ec71f57f3a.json @@ -1,79 +1,83 @@ { - "author": [ - "Elastic" - ], - "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "AdFind Command Activity", - "note": "`AdFind.exe` is a legitimate domain query tool. Rule alerts should be investigated to identify if the user has a role that would explain using this tool and that it is being run from an expected directory and endpoint. Leverage the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment.", - "query": "process where event.type in (\"start\", \"process_started\") and \n (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and \n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\", \n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\", \n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", - "references": [ - "http://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", - "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf" - ], - "risk_score": 21, - "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1069", - "name": "Permission Groups Discovery", - "reference": "https://attack.mitre.org/techniques/T1069/", - "subtechnique": [ - { - "id": "T1069.002", - "name": "Domain Groups", - "reference": "https://attack.mitre.org/techniques/T1069/002/" - } - ] + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "AdFind Command Activity", + "note": "`AdFind.exe` is a legitimate domain query tool. Rule alerts should be investigated to identify if the user has a role that would explain using this tool and that it is being run from an expected directory and endpoint. Leverage the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment.", + "query": "process where event.type in (\"start\", \"process_started\") and \n (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and \n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\", \n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\", \n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", + "references": [ + "http://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf" + ], + "risk_score": 21, + "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" }, - { - "id": "T1087", - "name": "Account Discovery", - "reference": "https://attack.mitre.org/techniques/T1087/", - "subtechnique": [ - { - "id": "T1087.002", - "name": "Domain Account", - "reference": "https://attack.mitre.org/techniques/T1087/002/" - } - ] - }, - { - "id": "T1482", - "name": "Domain Trust Discovery", - "reference": "https://attack.mitre.org/techniques/T1482/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.002", + "name": "Domain Groups", + "reference": "https://attack.mitre.org/techniques/T1069/002/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + }, + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "eda499b8-a073-4e35-9733-22ec71f57f3a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json b/packages/security_detection_engine/kibana/security_rule/rule-edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json index f0024d9c225..9ac6879e915 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json @@ -1,37 +1,41 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Deactivate an Okta Application", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 21, - "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", - "severity": "low", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate an Okta Application", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 21, + "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-edf8ee23-5ea7-4123-ba19-56b41e424ae3.json b/packages/security_detection_engine/kibana/security_rule/rule-edf8ee23-5ea7-4123-ba19-56b41e424ae3.json index 29e16b4a98a..c5dd5298750 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-edf8ee23-5ea7-4123-ba19-56b41e424ae3.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-edf8ee23-5ea7-4123-ba19-56b41e424ae3.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "ImageLoad via Windows Update Auto Update Client", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", - "references": [ - "https://dtm.uk/wuauclt/" - ], - "risk_score": 47, - "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "Signed Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ImageLoad via Windows Update Auto Update Client", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", + "references": [ + "https://dtm.uk/wuauclt/" + ], + "risk_score": 47, + "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-eea82229-b002-470e-a9e1-00be38b14d32.json b/packages/security_detection_engine/kibana/security_rule/rule-eea82229-b002-470e-a9e1-00be38b14d32.json index c2c5134c951..3d45b159830 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-eea82229-b002-470e-a9e1-00be38b14d32.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-eea82229-b002-470e-a9e1-00be38b14d32.json @@ -1,57 +1,61 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Privacy Control Bypass via TCCDB Modification", - "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and \n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\"\n", - "references": [ - "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", - "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db Modifier.sh", - "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8" - ], - "risk_score": 47, - "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privacy Control Bypass via TCCDB Modification", + "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and \n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\"\n", + "references": [ + "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", + "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db Modifier.sh", + "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8" + ], + "risk_score": 47, + "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "eea82229-b002-470e-a9e1-00be38b14d32", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ef862985-3f13-4262-a686-5f357bbb9bc2.json b/packages/security_detection_engine/kibana/security_rule/rule-ef862985-3f13-4262-a686-5f357bbb9bc2.json index 7703073a5eb..6bd5beb6891 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ef862985-3f13-4262-a686-5f357bbb9bc2.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ef862985-3f13-4262-a686-5f357bbb9bc2.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", - "false_positives": [ - "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Whoami Process Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:whoami.exe", - "risk_score": 21, - "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1033", - "name": "System Owner/User Discovery", - "reference": "https://attack.mitre.org/techniques/T1033/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", + "false_positives": [ + "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Whoami Process Activity", + "query": "event.category:process and event.type:(start or process_started) and process.name:whoami.exe", + "risk_score": 21, + "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "ef862985-3f13-4262-a686-5f357bbb9bc2", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f036953a-4615-4707-a1ca-dc53bf69dcd5.json b/packages/security_detection_engine/kibana/security_rule/rule-f036953a-4615-4707-a1ca-dc53bf69dcd5.json index aac2b6107e4..5cb78ac7660 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f036953a-4615-4707-a1ca-dc53bf69dcd5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f036953a-4615-4707-a1ca-dc53bf69dcd5.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Child Processes of RunDLL32", - "query": "sequence with maxspan=1h\n [process where event.type in (\"start\", \"process_started\") and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", - "risk_score": 21, - "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "Signed Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.011", - "name": "Rundll32", - "reference": "https://attack.mitre.org/techniques/T1218/011/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Child Processes of RunDLL32", + "query": "sequence with maxspan=1h\n [process where event.type in (\"start\", \"process_started\") and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", + "risk_score": 21, + "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f06414a6-f2a4-466d-8eba-10f85e8abf71.json b/packages/security_detection_engine/kibana/security_rule/rule-f06414a6-f2a4-466d-8eba-10f85e8abf71.json index c7f944bb9ac..2c5882fa76c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f06414a6-f2a4-466d-8eba-10f85e8abf71.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f06414a6-f2a4-466d-8eba-10f85e8abf71.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.", - "false_positives": [ - "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Administrator Role Assigned to an Okta User", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:user.account.privilege.grant", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 47, - "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", - "severity": "medium", - "tags": [ - "Elastic", - "Okta", - "SecOps", - "Monitoring", - "Continuous Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.", + "false_positives": [ + "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Administrator Role Assigned to an Okta User", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:user.account.privilege.grant", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 47, + "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", + "severity": "medium", + "tags": [ + "Elastic", + "Okta", + "SecOps", + "Monitoring", + "Continuous Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7.json b/packages/security_detection_engine/kibana/security_rule/rule-f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7.json index 2b8787420ce..2397da3f9fb 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Attempt to Remove File Quarantine Attribute", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.args : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\" and process.command_line :\n (\n \"/bin/bash -c xattr -c *\",\n \"/bin/zsh -c xattr -c *\",\n \"/bin/sh -c xattr -c *\"\n )\n )\n )\n", - "references": [ - "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", - "https://ss64.com/osx/xattr.html" - ], - "risk_score": 47, - "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Remove File Quarantine Attribute", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.args : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\" and process.command_line :\n (\n \"/bin/bash -c xattr -c *\",\n \"/bin/zsh -c xattr -c *\",\n \"/bin/sh -c xattr -c *\"\n )\n )\n )\n", + "references": [ + "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://ss64.com/osx/xattr.html" + ], + "risk_score": 47, + "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f0eb70e9-71e9-40cd-813f-bf8e8c812cb1.json b/packages/security_detection_engine/kibana/security_rule/rule-f0eb70e9-71e9-40cd-813f-bf8e8c812cb1.json index dde1220fa55..e1595b6ac52 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f0eb70e9-71e9-40cd-813f-bf8e8c812cb1.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f0eb70e9-71e9-40cd-813f-bf8e8c812cb1.json @@ -1,65 +1,69 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Execution with Explicit Credentials via Scripting", - "query": "event.category:process and event.type:(start or process_started) and process.name:\"security_authtrampoline\" and process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or perl* or php* or ruby or pwsh)", - "references": [ - "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", - "https://www.manpagez.com/man/8/security_authtrampoline/" - ], - "risk_score": 47, - "rule_id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Execution", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Execution with Explicit Credentials via Scripting", + "query": "event.category:process and event.type:(start or process_started) and process.name:\"security_authtrampoline\" and process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or perl* or php* or ruby or pwsh)", + "references": [ + "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", + "https://www.manpagez.com/man/8/security_authtrampoline/" + ], + "risk_score": 47, + "rule_id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 2 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f24bcae1-8980-4b30-b5dd-f851b055c9e7.json b/packages/security_detection_engine/kibana/security_rule/rule-f24bcae1-8980-4b30-b5dd-f851b055c9e7.json index cd6178acf9f..2cc01ededaf 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f24bcae1-8980-4b30-b5dd-f851b055c9e7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f24bcae1-8980-4b30-b5dd-f851b055c9e7.json @@ -1,75 +1,79 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Creation of Hidden Login Item via Apple Script", - "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n", - "risk_score": 47, - "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Persistence", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation of Hidden Login Item via Apple Script", + "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n", + "risk_score": 47, + "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.011", + "name": "Plist Modification", + "reference": "https://attack.mitre.org/techniques/T1547/011/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.011", - "name": "Plist Modification", - "reference": "https://attack.mitre.org/techniques/T1547/011/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.002", - "name": "AppleScript", - "reference": "https://attack.mitre.org/techniques/T1059/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.002", + "name": "AppleScript", + "reference": "https://attack.mitre.org/techniques/T1059/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f28e2be4-6eca-4349-bdd9-381573730c22.json b/packages/security_detection_engine/kibana/security_rule/rule-f28e2be4-6eca-4349-bdd9-381573730c22.json index a9dfb4a6b6f..e10b7566127 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f28e2be4-6eca-4349-bdd9-381573730c22.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f28e2be4-6eca-4349-bdd9-381573730c22.json @@ -1,68 +1,72 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", - "false_positives": [ - "Updates to approved and trusted SSH executables can trigger this rule." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential OpenSSH Backdoor Logging Activity", - "query": "file where event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n file.name : (\".*\", \"~*\") or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path : \n (\n \"/private/etc/*--\", \n \"/usr/share/*\", \n \"/usr/include/*\", \n \"/usr/local/include/*\", \n \"/private/tmp/*\", \n \"/private/var/tmp/*\",\n \"/usr/tmp/*\", \n \"/usr/share/man/*\", \n \"/usr/local/share/*\", \n \"/usr/lib/*.so.*\", \n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\", \n \"/private/var/opt/power\", \n \"/private/etc/ssh/ssh_known_hosts\", \n \"/private/var/html/lol\", \n \"/private/var/log/utmp\", \n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", - "references": [ - "https://github.com/eset/malware-ioc/tree/master/sshdoor", - "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" - ], - "risk_score": 73, - "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Persistence", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", + "false_positives": [ + "Updates to approved and trusted SSH executables can trigger this rule." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential OpenSSH Backdoor Logging Activity", + "query": "file where event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n file.name : (\".*\", \"~*\") or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path : \n (\n \"/private/etc/*--\", \n \"/usr/share/*\", \n \"/usr/include/*\", \n \"/usr/local/include/*\", \n \"/private/tmp/*\", \n \"/private/var/tmp/*\",\n \"/usr/tmp/*\", \n \"/usr/share/man/*\", \n \"/usr/local/share/*\", \n \"/usr/lib/*.so.*\", \n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\", \n \"/private/var/opt/power\", \n \"/private/etc/ssh/ssh_known_hosts\", \n \"/private/var/html/lol\", \n \"/private/var/log/utmp\", \n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", + "references": [ + "https://github.com/eset/malware-ioc/tree/master/sshdoor", + "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" + ], + "risk_score": 73, + "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1554", - "name": "Compromise Client Software Binary", - "reference": "https://attack.mitre.org/techniques/T1554/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "f28e2be4-6eca-4349-bdd9-381573730c22", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f2c7b914-eda3-40c2-96ac-d23ef91776ca.json b/packages/security_detection_engine/kibana/security_rule/rule-f2c7b914-eda3-40c2-96ac-d23ef91776ca.json index 70bea06d4b4..06bc963f92a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f2c7b914-eda3-40c2-96ac-d23ef91776ca.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f2c7b914-eda3-40c2-96ac-d23ef91776ca.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "SIP Provider Modification", - "query": "registry where event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\"\n", - "references": [ - "https://github.com/mattifestation/PoCSubjectInterfacePackage" - ], - "risk_score": 47, - "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1553", - "name": "Subvert Trust Controls", - "reference": "https://attack.mitre.org/techniques/T1553/", - "subtechnique": [ - { - "id": "T1553.003", - "name": "SIP and Trust Provider Hijacking", - "reference": "https://attack.mitre.org/techniques/T1553/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SIP Provider Modification", + "query": "registry where event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\"\n", + "references": [ + "https://github.com/mattifestation/PoCSubjectInterfacePackage" + ], + "risk_score": 47, + "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.003", + "name": "SIP and Trust Provider Hijacking", + "reference": "https://attack.mitre.org/techniques/T1553/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f2f46686-6f3c-4724-bd7d-24e31c70f98f.json b/packages/security_detection_engine/kibana/security_rule/rule-f2f46686-6f3c-4724-bd7d-24e31c70f98f.json index 48a8db23e0d..6786c7a12cc 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f2f46686-6f3c-4724-bd7d-24e31c70f98f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f2f46686-6f3c-4724-bd7d-24e31c70f98f.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "LSASS Memory Dump Creation", - "query": "event.category:file and file.name:(lsass.DMP or lsass*.dmp or dumpert.dmp or Andrew.dmp or SQLDmpr*.mdmp or Coredump.dmp)", - "references": [ - "https://github.com/outflanknl/Dumpert", - "https://github.com/hoangprod/AndrewSpecial" - ], - "risk_score": 73, - "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "LSASS Memory Dump Creation", + "query": "event.category:file and file.name:(lsass.DMP or lsass*.dmp or dumpert.dmp or Andrew.dmp or SQLDmpr*.mdmp or Coredump.dmp)", + "references": [ + "https://github.com/outflanknl/Dumpert", + "https://github.com/hoangprod/AndrewSpecial" + ], + "risk_score": 73, + "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f3475224-b179-4f78-8877-c2bd64c26b88.json b/packages/security_detection_engine/kibana/security_rule/rule-f3475224-b179-4f78-8877-c2bd64c26b88.json index 20ca56977cc..5ca7970f0a9 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f3475224-b179-4f78-8877-c2bd64c26b88.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f3475224-b179-4f78-8877-c2bd64c26b88.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "WMI Incoming Lateral Movement", - "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where process.name : \"svchost.exe\" and network.direction == \"incoming\" and\n source.address != \"127.0.0.1\" and source.address != \"::1\" and \n source.port \u003e= 49152 and destination.port \u003e= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\", \n \"C:\\\\windows\\\\TEMP\\\\nessus_*.TMP\", \n \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\", \n \"C:\\\\Windows\\\\CCMCache\\\\*\", \n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", - "risk_score": 47, - "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "WMI Incoming Lateral Movement", + "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where process.name : \"svchost.exe\" and network.direction == \"incoming\" and\n source.address != \"127.0.0.1\" and source.address != \"::1\" and \n source.port \u003e= 49152 and destination.port \u003e= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\", \n \"C:\\\\windows\\\\TEMP\\\\nessus_*.TMP\", \n \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\", \n \"C:\\\\Windows\\\\CCMCache\\\\*\", \n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", + "risk_score": 47, + "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [] }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1047", - "name": "Windows Management Instrumentation", - "reference": "https://attack.mitre.org/techniques/T1047/" - } - ] - } - ], - "type": "eql", - "version": 2 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "f3475224-b179-4f78-8877-c2bd64c26b88", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f37f3054-d40b-49ac-aa9b-a786c74c58b8.json b/packages/security_detection_engine/kibana/security_rule/rule-f37f3054-d40b-49ac-aa9b-a786c74c58b8.json index a9a0c40924c..6d51fed1df8 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f37f3054-d40b-49ac-aa9b-a786c74c58b8.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f37f3054-d40b-49ac-aa9b-a786c74c58b8.json @@ -1,60 +1,64 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.", - "false_positives": [ - "This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Sudo Heap-Based Buffer Overflow Attempt", - "query": "event.category:process and event.type:start and process.name:(sudo or sudoedit) and process.args:(*\\\\ and (\"-i\" or \"-s\"))", - "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156", - "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", - "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw", - "https://www.sudo.ws/alerts/unescape_overflow.html" - ], - "risk_score": 73, - "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Linux", - "macOS", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "threshold": { - "field": [ - "host.hostname" + "attributes": { + "author": [ + "Elastic" ], - "value": 100 + "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.", + "false_positives": [ + "This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Sudo Heap-Based Buffer Overflow Attempt", + "query": "event.category:process and event.type:start and process.name:(sudo or sudoedit) and process.args:(*\\\\ and (\"-i\" or \"-s\"))", + "references": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156", + "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", + "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw", + "https://www.sudo.ws/alerts/unescape_overflow.html" + ], + "risk_score": 73, + "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "threshold": { + "field": [ + "host.hostname" + ], + "value": 100 + }, + "type": "threshold", + "version": 1 }, - "type": "threshold", - "version": 1 + "id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f44fa4b6-524c-4e87-8d9e-a32599e4fb7c.json b/packages/security_detection_engine/kibana/security_rule/rule-f44fa4b6-524c-4e87-8d9e-a32599e4fb7c.json index 975d96ae0d0..4bfd859a013 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f44fa4b6-524c-4e87-8d9e-a32599e4fb7c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f44fa4b6-524c-4e87-8d9e-a32599e4fb7c.json @@ -1,49 +1,53 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via Microsoft Office AddIns", - "query": "file where event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", - "references": [ - "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/" - ], - "risk_score": 73, - "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1137", - "name": "Office Application Startup", - "reference": "https://attack.mitre.org/techniques/T1137/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Microsoft Office AddIns", + "query": "file where event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", + "references": [ + "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/" + ], + "risk_score": 73, + "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1137", + "name": "Office Application Startup", + "reference": "https://attack.mitre.org/techniques/T1137/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json b/packages/security_detection_engine/kibana/security_rule/rule-f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json index ce046320e61..de718bfa3b2 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Windows Script Executing PowerShell", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe", - "risk_score": 21, - "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Windows Script Executing PowerShell", + "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe", + "risk_score": 21, + "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f675872f-6d85-40a3-b502-c0d2ef101e92.json b/packages/security_detection_engine/kibana/security_rule/rule-f675872f-6d85-40a3-b502-c0d2ef101e92.json index 2024d1f85cb..9d5a490790a 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f675872f-6d85-40a3-b502-c0d2ef101e92.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f675872f-6d85-40a3-b502-c0d2ef101e92.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Delete Volume USN Journal with Fsutil", - "query": "event.category:process and event.type:(start or process_started) and process.name:fsutil.exe and process.args:(deletejournal and usn)", - "risk_score": 21, - "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.004", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1070/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Delete Volume USN Journal with Fsutil", + "query": "event.category:process and event.type:(start or process_started) and process.name:fsutil.exe and process.args:(deletejournal and usn)", + "risk_score": 21, + "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "f675872f-6d85-40a3-b502-c0d2ef101e92", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f683dcdf-a018-4801-b066-193d4ae6c8e5.json b/packages/security_detection_engine/kibana/security_rule/rule-f683dcdf-a018-4801-b066-193d4ae6c8e5.json index 5eeed7aa369..f0e12694299 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f683dcdf-a018-4801-b066-193d4ae6c8e5.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f683dcdf-a018-4801-b066-193d4ae6c8e5.json @@ -1,58 +1,62 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.", - "false_positives": [ - "Authorized SoftwareUpdate Settings Changes" - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SoftwareUpdate Preferences Modification", - "query": "event.category:process and event.type:(start or process_started) and process.name:defaults and process.args:(write and \"-bool\" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))", - "references": [ - "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/" - ], - "risk_score": 47, - "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.", + "false_positives": [ + "Authorized SoftwareUpdate Settings Changes" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SoftwareUpdate Preferences Modification", + "query": "event.category:process and event.type:(start or process_started) and process.name:defaults and process.args:(write and \"-bool\" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))", + "references": [ + "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/" + ], + "risk_score": 47, + "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "f683dcdf-a018-4801-b066-193d4ae6c8e5", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f772ec8a-e182-483c-91d2-72058f76a44c.json b/packages/security_detection_engine/kibana/security_rule/rule-f772ec8a-e182-483c-91d2-72058f76a44c.json index 76a2039af8d..0403b649073 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f772ec8a-e182-483c-91d2-72058f76a44c.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f772ec8a-e182-483c-91d2-72058f76a44c.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudWatch Alarm Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", - "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html" - ], - "risk_score": 47, - "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudWatch Alarm Deletion", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", + "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html" + ], + "risk_score": 47, + "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "f772ec8a-e182-483c-91d2-72058f76a44c", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f7c4dc5a-a58d-491d-9f14-9b66507121c0.json b/packages/security_detection_engine/kibana/security_rule/rule-f7c4dc5a-a58d-491d-9f14-9b66507121c0.json index cc0de051939..99a70ae6ccb 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f7c4dc5a-a58d-491d-9f14-9b66507121c0.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f7c4dc5a-a58d-491d-9f14-9b66507121c0.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies script engines creating files in the startup folder, or the creation of script files in the startup folder.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistent Scripts in the Startup Directory", - "query": "file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n \n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\", \n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\", \n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\", \n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\", \n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", - "risk_score": 47, - "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies script engines creating files in the startup folder, or the creation of script files in the startup folder.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistent Scripts in the Startup Directory", + "query": "file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n \n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\", \n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\", \n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\", \n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\", \n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", + "risk_score": 47, + "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f81ee52c-297e-46d9-9205-07e66931df26.json b/packages/security_detection_engine/kibana/security_rule/rule-f81ee52c-297e-46d9-9205-07e66931df26.json index e8aae6ebb41..73571407277 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f81ee52c-297e-46d9-9205-07e66931df26.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f81ee52c-297e-46d9-9205-07e66931df26.json @@ -1,51 +1,55 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "query": "process where event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\"))\n", - "references": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289" - ], - "risk_score": 73, - "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Exchange Worker Spawning Suspicious Processes", + "query": "process where event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\"))\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289" + ], + "risk_score": 73, + "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "f81ee52c-297e-46d9-9205-07e66931df26", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f85ce03f-d8a8-4c83-acdc-5c8cd0592be7.json b/packages/security_detection_engine/kibana/security_rule/rule-f85ce03f-d8a8-4c83-acdc-5c8cd0592be7.json index 8a26f74a2ba..a98bd2e1632 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f85ce03f-d8a8-4c83-acdc-5c8cd0592be7.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f85ce03f-d8a8-4c83-acdc-5c8cd0592be7.json @@ -1,51 +1,55 @@ { - "author": [ - "Elastic" - ], - "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.", - "false_positives": [ - "Trusted system or Adobe Acrobat Related processes." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and user.name:root and not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or /usr/bin/codesign or /private/var/folders/zz/*/T/download/ARMDCHammer or /usr/sbin/pkgutil or /usr/bin/shasum or /usr/bin/perl* or /usr/sbin/spctl or /usr/sbin/installer)", - "references": [ - "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/" - ], - "risk_score": 73, - "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.", + "false_positives": [ + "Trusted system or Adobe Acrobat Related processes." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", + "query": "event.category:process and event.type:(start or process_started) and process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and user.name:root and not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or /usr/bin/codesign or /private/var/folders/zz/*/T/download/ARMDCHammer or /usr/sbin/pkgutil or /usr/bin/shasum or /usr/bin/perl* or /usr/sbin/spctl or /usr/sbin/installer)", + "references": [ + "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/" + ], + "risk_score": 73, + "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f9590f47-6bd5-4a49-bd49-a2f886476fb9.json b/packages/security_detection_engine/kibana/security_rule/rule-f9590f47-6bd5-4a49-bd49-a2f886476fb9.json index 3a5fb96dc32..157c35146aa 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f9590f47-6bd5-4a49-bd49-a2f886476fb9.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f9590f47-6bd5-4a49-bd49-a2f886476fb9.json @@ -1,44 +1,48 @@ { - "anomaly_threshold": 25, - "author": [ - "Elastic" - ], - "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", - "false_positives": [ - "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "linux_network_configuration_discovery", - "name": "Unusual Linux System Network Configuration Discovery", - "risk_score": 21, - "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "ML" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1016", - "name": "System Network Configuration Discovery", - "reference": "https://attack.mitre.org/techniques/T1016/" - } - ] - } - ], - "type": "machine_learning", - "version": 2 + "attributes": { + "anomaly_threshold": 25, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "linux_network_configuration_discovery", + "name": "Unusual Linux System Network Configuration Discovery", + "risk_score": 21, + "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/" + } + ] + } + ], + "type": "machine_learning", + "version": 2 + }, + "id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-f994964f-6fce-4d75-8e79-e16ccc412588.json b/packages/security_detection_engine/kibana/security_rule/rule-f994964f-6fce-4d75-8e79-e16ccc412588.json index 3f67ecaeaf9..0dc2483d601 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-f994964f-6fce-4d75-8e79-e16ccc412588.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-f994964f-6fce-4d75-8e79-e16ccc412588.json @@ -1,98 +1,102 @@ { - "author": [ - "Elastic" - ], - "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.", - "false_positives": [ - "A user may report suspicious activity on their Okta account in error." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious Activity Reported by Okta User", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 47, - "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588", - "severity": "medium", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.", + "false_positives": [ + "A user may report suspicious activity on their Okta account in error." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Activity Reported by Okta User", + "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "risk_score": 47, + "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "f994964f-6fce-4d75-8e79-e16ccc412588", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-fa01341d-6662-426b-9d0c-6d81e33c8a9d.json b/packages/security_detection_engine/kibana/security_rule/rule-fa01341d-6662-426b-9d0c-6d81e33c8a9d.json index ca3a6659aac..23cbd8b8bef 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-fa01341d-6662-426b-9d0c-6d81e33c8a9d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-fa01341d-6662-426b-9d0c-6d81e33c8a9d.json @@ -1,53 +1,57 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote File Copy to a Hidden Share", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and \n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n", - "risk_score": 47, - "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.002", - "name": "SMB/Windows Admin Shares", - "reference": "https://attack.mitre.org/techniques/T1021/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Copy to a Hidden Share", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and \n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n", + "risk_score": 47, + "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-fb02b8d3-71ee-4af1-bacd-215d23f17efa.json b/packages/security_detection_engine/kibana/security_rule/rule-fb02b8d3-71ee-4af1-bacd-215d23f17efa.json index f950f790cb7..da5de1837fd 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-fb02b8d3-71ee-4af1-bacd-215d23f17efa.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-fb02b8d3-71ee-4af1-bacd-215d23f17efa.json @@ -1,64 +1,68 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.", - "false_positives": [ - "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Network Connection via Registration Utility", - "query": "sequence by process.entity_id\n [process where event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n user.id == \"S-1-5-18\" and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"169.254.169.254\", \"172.16.0.0/12\", \"192.168.0.0/16\") and network.protocol != \"dns\"]\n", - "risk_score": 21, - "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.", + "false_positives": [ + "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Registration Utility", + "query": "sequence by process.entity_id\n [process where event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n user.id == \"S-1-5-18\" and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"169.254.169.254\", \"172.16.0.0/12\", \"192.168.0.0/16\") and network.protocol != \"dns\"]\n", + "risk_score": 21, + "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "Signed Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.010", - "name": "Regsvr32", - "reference": "https://attack.mitre.org/techniques/T1218/010/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 7 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.010", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1218/010/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 7 + }, + "id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-fb9937ce-7e21-46bf-831d-1ad96eac674d.json b/packages/security_detection_engine/kibana/security_rule/rule-fb9937ce-7e21-46bf-831d-1ad96eac674d.json index 93ce4c530d9..54152704526 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-fb9937ce-7e21-46bf-831d-1ad96eac674d.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-fb9937ce-7e21-46bf-831d-1ad96eac674d.json @@ -1,61 +1,65 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies that the maximum number of failed login attempts has been reached for a user.", - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Auditd Max Failed Login Attempts", - "query": "event.module:auditd and event.action:\"failed-log-in-too-many-times-to\"", - "references": [ - "https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574" - ], - "risk_score": 47, - "rule_id": "fb9937ce-7e21-46bf-831d-1ad96eac674d", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies that the maximum number of failed login attempts has been reached for a user.", + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Auditd Max Failed Login Attempts", + "query": "event.module:auditd and event.action:\"failed-log-in-too-many-times-to\"", + "references": [ + "https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574" + ], + "risk_score": 47, + "rule_id": "fb9937ce-7e21-46bf-831d-1ad96eac674d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "fb9937ce-7e21-46bf-831d-1ad96eac674d", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-fbd44836-0d69-4004-a0b4-03c20370c435.json b/packages/security_detection_engine/kibana/security_rule/rule-fbd44836-0d69-4004-a0b4-03c20370c435.json index ff43bc0541a..c099e3598a0 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-fbd44836-0d69-4004-a0b4-03c20370c435.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-fbd44836-0d69-4004-a0b4-03c20370c435.json @@ -1,62 +1,66 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies an AWS configuration change to stop recording a designated set of resources.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Configuration Recorder Stopped", - "note": "The AWS Filebeat module must be enabled to use this rule.", - "query": "event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", - "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html" - ], - "risk_score": 73, - "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435", - "severity": "high", - "tags": [ - "Elastic", - "Cloud", - "AWS", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an AWS configuration change to stop recording a designated set of resources.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Configuration Recorder Stopped", + "note": "The AWS Filebeat module must be enabled to use this rule.", + "query": "event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", + "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html" + ], + "risk_score": 73, + "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "fbd44836-0d69-4004-a0b4-03c20370c435", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-fc7c0fa4-8f03-4b3e-8336-c5feab0be022.json b/packages/security_detection_engine/kibana/security_rule/rule-fc7c0fa4-8f03-4b3e-8336-c5feab0be022.json index 29b6e48f358..ec2f6ed7d3f 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-fc7c0fa4-8f03-4b3e-8336-c5feab0be022.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-fc7c0fa4-8f03-4b3e-8336-c5feab0be022.json @@ -1,56 +1,60 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", - "references": [ - "https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html" - ], - "risk_score": 47, - "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Access Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", + "references": [ + "https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html" + ], + "risk_score": 47, + "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Access Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-fd4a992d-6130-4802-9ff8-829b89ae801f.json b/packages/security_detection_engine/kibana/security_rule/rule-fd4a992d-6130-4802-9ff8-829b89ae801f.json index 3b5c8ac09df..b84b306d706 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-fd4a992d-6130-4802-9ff8-829b89ae801f.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-fd4a992d-6130-4802-9ff8-829b89ae801f.json @@ -1,75 +1,79 @@ { - "author": [ - "Elastic" - ], - "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Application Shimming via Sdbinst", - "query": "event.category:process and event.type:(start or process_started) and process.name:sdbinst.exe", - "risk_score": 21, - "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Application Shimming via Sdbinst", + "query": "event.category:process and event.type:(start or process_started) and process.name:sdbinst.exe", + "risk_score": 21, + "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.011", - "name": "Application Shimming", - "reference": "https://attack.mitre.org/techniques/T1546/011/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.011", - "name": "Application Shimming", - "reference": "https://attack.mitre.org/techniques/T1546/011/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "fd4a992d-6130-4802-9ff8-829b89ae801f", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-fd70c98a-c410-42dc-a2e3-761c71848acf.json b/packages/security_detection_engine/kibana/security_rule/rule-fd70c98a-c410-42dc-a2e3-761c71848acf.json index b7dcb66e2f1..295ce8a4604 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-fd70c98a-c410-42dc-a2e3-761c71848acf.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-fd70c98a-c410-42dc-a2e3-761c71848acf.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Encoding or Decoding Files via CertUtil", - "query": "event.category:process and event.type:(start or process_started) and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)", - "risk_score": 47, - "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Encoding or Decoding Files via CertUtil", + "query": "event.category:process and event.type:(start or process_started) and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)", + "risk_score": 47, + "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "fd70c98a-c410-42dc-a2e3-761c71848acf", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-fd7a6052-58fa-4397-93c3-4795249ccfa2.json b/packages/security_detection_engine/kibana/security_rule/rule-fd7a6052-58fa-4397-93c3-4795249ccfa2.json index 91c98485328..e7ea9e2ba69 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-fd7a6052-58fa-4397-93c3-4795249ccfa2.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-fd7a6052-58fa-4397-93c3-4795249ccfa2.json @@ -1,46 +1,50 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Svchost spawning Cmd", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe", - "risk_score": 21, - "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Svchost spawning Cmd", + "query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe", + "risk_score": 21, + "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ff013cb4-274d-434a-96bb-fe15ddd3ae92.json b/packages/security_detection_engine/kibana/security_rule/rule-ff013cb4-274d-434a-96bb-fe15ddd3ae92.json index ec4a5503c1e..badd097c75c 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ff013cb4-274d-434a-96bb-fe15ddd3ae92.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ff013cb4-274d-434a-96bb-fe15ddd3ae92.json @@ -1,50 +1,54 @@ { - "author": [ - "Elastic" - ], - "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs. This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.", - "false_positives": [ - "Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected." - ], - "index": [ - "packetbeat-*" - ], - "language": "lucene", - "license": "Elastic License v2", - "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "note": "This activity has been observed in FIN7 campaigns.", - "query": "event.category:(network OR network_traffic) AND network.protocol:http AND url.path:/.*(rar|ps1)/ AND source.ip:(10.0.0.0\\/8 OR 172.16.0.0\\/12 OR 192.168.0.0\\/16)", - "references": [ - "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", - "https://www.justice.gov/opa/press-release/file/1084361/download" - ], - "risk_score": 47, - "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92", - "severity": "medium", - "tags": [ - "Elastic", - "Network", - "Threat Detection", - "Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs. This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.", + "false_positives": [ + "Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected." + ], + "index": [ + "packetbeat-*" + ], + "language": "lucene", + "license": "Elastic License v2", + "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", + "note": "This activity has been observed in FIN7 campaigns.", + "query": "event.category:(network OR network_traffic) AND network.protocol:http AND url.path:/.*(rar|ps1)/ AND source.ip:(10.0.0.0\\/8 OR 172.16.0.0\\/12 OR 192.168.0.0\\/16)", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://www.justice.gov/opa/press-release/file/1084361/download" + ], + "risk_score": 47, + "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92", + "severity": "medium", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ff4dd44a-0ac6-44c4-8609-3f81bc820f02.json b/packages/security_detection_engine/kibana/security_rule/rule-ff4dd44a-0ac6-44c4-8609-3f81bc820f02.json index bf971ba0abd..07043b38adb 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ff4dd44a-0ac6-44c4-8609-3f81bc820f02.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ff4dd44a-0ac6-44c4-8609-3f81bc820f02.json @@ -1,54 +1,58 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies a transport rule creation in Microsoft 365. Exchange Online mail transport rules should be set to not forward email to domains outside of your organization as a best practice. An adversary may create transport rules to exfiltrate data.", - "false_positives": [ - "A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Transport Rule Creation", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", - "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" - ], - "risk_score": 47, - "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1537", - "name": "Transfer Data to Cloud Account", - "reference": "https://attack.mitre.org/techniques/T1537/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a transport rule creation in Microsoft 365. Exchange Online mail transport rules should be set to not forward email to domains outside of your organization as a best practice. An adversary may create transport rules to exfiltrate data.", + "false_positives": [ + "A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Transport Rule Creation", + "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + ], + "risk_score": 47, + "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", + "type": "security_rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/rule-ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json b/packages/security_detection_engine/kibana/security_rule/rule-ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json index 0fabb6091d9..678c0fff886 100644 --- a/packages/security_detection_engine/kibana/security_rule/rule-ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json +++ b/packages/security_detection_engine/kibana/security_rule/rule-ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json @@ -1,52 +1,56 @@ { - "author": [ - "Elastic" - ], - "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may delete a firewall rule in order to weaken their target's security controls.", - "false_positives": [ - "Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Firewall Rule Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.delete", - "references": [ - "https://cloud.google.com/vpc/docs/firewalls" - ], - "risk_score": 47, - "rule_id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may delete a firewall rule in order to weaken their target's security controls.", + "false_positives": [ + "Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Firewall Rule Deletion", + "note": "The GCP Filebeat module must be enabled to use this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.delete", + "references": [ + "https://cloud.google.com/vpc/docs/firewalls" + ], + "risk_score": 47, + "rule_id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1", + "type": "security_rule" } \ No newline at end of file