github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Detection Rules] Add 8.4 rules (#138574)

Browse source 
Co-authored-by: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
This commit is contained in:
Justin Ibarra 2022-08-15 12:05:24 -06:00 committed by GitHub
parent e7772b1feb
commit 30218241cd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
704 changed files with 20895 additions and 3300 deletions
Download patch file Download diff file Expand all files Collapse all files

14
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_403_response_to_a_post.json
View file

@ -17,6 +17,18 @@
"references": [
"https://en.wikipedia.org/wiki/HTTP_403"
],
"required_fields": [
{
"ecs": true,
"name": "http.request.method",
"type": "keyword"
},
{
"ecs": true,
"name": "http.response.status_code",
"type": "long"
}
],
"risk_score": 47,
"rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e",
"severity": "medium",
@ -26,5 +38,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 8
"version": 9
}

9
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_405_response_method_not_allowed.json
View file

@ -17,6 +17,13 @@
"references": [
"https://en.wikipedia.org/wiki/HTTP_405"
],
"required_fields": [
{
"ecs": true,
"name": "http.response.status_code",
"type": "long"
}
],
"risk_score": 47,
"rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef",
"severity": "medium",
@ -26,5 +33,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 8
"version": 9
}

9
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_null_user_agent.json
View file

@ -35,6 +35,13 @@
"references": [
"https://en.wikipedia.org/wiki/User_agent"
],
"required_fields": [
{
"ecs": true,
"name": "url.path",
"type": "wildcard"
}
],
"risk_score": 47,
"rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d",
"severity": "medium",
@ -44,5 +51,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 7
"version": 8
}

9
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_sqlmap_user_agent.json
View file

@ -17,6 +17,13 @@
"references": [
"http://sqlmap.org/"
],
"required_fields": [
{
"ecs": true,
"name": "user_agent.original",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820",
"severity": "medium",
@ -26,5 +33,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 7
"version": 8
}

37
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json
View file

@ -1,37 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.",
"false_positives": [
"Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
],
"from": "now-130m",
"index": [
"filebeat-*",
"logs-google_workspace*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"name": "Application Added to Google Workspace Domain",
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
"query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n",
"references": [
"https://support.google.com/a/answer/6328701?hl=en#"
],
"risk_score": 47,
"rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"Google Workspace",
"Continuous Monitoring",
"SecOps",
"Configuration Audit"
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 12
}

34
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json
View file

@ -15,14 +15,44 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS CloudTrail Log Created",
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"note": "",
"query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n",
"references": [
"https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"
],
"related_integrations": [
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
},
{
"ecs": true,
"name": "event.provider",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed",
"setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "low",
"tags": [
"Elastic",
@ -51,5 +81,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 6
"version": 8
}

22
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json
View file

@ -15,14 +15,32 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Exporting Exchange Mailbox via PowerShell",
"note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive\nto a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive\nand strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation is done under change management and approved according to the organization's policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that\n assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on\na per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity\nand it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle\nis being followed.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive\nto a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive\nand strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that\n assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on\na per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity\nand it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle\nis being followed.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"New-MailboxExportRequest*\"\n",
"references": [
"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "6aace640-e631-4870-ba8e-5fdda09325db",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
@ -62,5 +80,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 8
"version": 10
}

30
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json
View file

@ -13,13 +13,37 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "GCP Pub/Sub Subscription Creation",
"note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success\n",
"note": "",
"query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success\n",
"references": [
"https://cloud.google.com/pubsub/docs/overview"
],
"related_integrations": [
{
"package": "gcp",
"version": "1.10.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7",
"setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "low",
"tags": [
"Elastic",
@ -48,5 +72,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 6
"version": 8
}

30
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json
View file

@ -13,13 +13,37 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "GCP Pub/Sub Topic Creation",
"note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success\n",
"note": "",
"query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success\n",
"references": [
"https://cloud.google.com/pubsub/docs/admin"
],
"related_integrations": [
{
"package": "gcp",
"version": "1.10.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5",
"setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "low",
"tags": [
"Elastic",
@ -48,5 +72,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 6
"version": 8
}

55
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json
View file

@ -16,16 +16,65 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "Microsoft 365 Inbox Forwarding Rule Created",
"note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:\"New-InboxRule\" and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n ) \n and event.outcome:success\n",
"note": "",
"query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:\"New-InboxRule\" and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n )\n and event.outcome:success\n",
"references": [
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
"https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide",
"https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf"
],
"related_integrations": [
{
"package": "o365",
"version": "1.3.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
},
{
"ecs": true,
"name": "event.provider",
"type": "keyword"
},
{
"ecs": false,
"name": "o365.audit.Parameters.ForwardAsAttachmentTo",
"type": "unknown"
},
{
"ecs": false,
"name": "o365.audit.Parameters.ForwardTo",
"type": "unknown"
},
{
"ecs": false,
"name": "o365.audit.Parameters.RedirectTo",
"type": "unknown"
}
],
"risk_score": 47,
"rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78",
"setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Elastic",
@ -61,5 +110,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 4
"version": 6
}

19
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_audio_capture.json
View file

@ -11,13 +11,26 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices\nconnected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of\nauthorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
"query": "event.category:process and \n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or (waveInGetNumDevs and mciSendStringA)\n )\n",
"note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices\nconnected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of\nauthorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "event.category:process and\n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or (waveInGetNumDevs and mciSendStringA)\n )\n",
"references": [
"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": false,
"name": "powershell.file.script_block_text",
"type": "unknown"
}
],
"risk_score": 47,
"rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43",
"setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```",
"severity": "medium",
"tags": [
"Elastic",
@ -67,5 +80,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 6
"version": 8
}

19
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_keylogger.json
View file

@ -11,14 +11,27 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "PowerShell Keylogging Script",
"note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other\nvaluable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the captured data locally.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making\nfalse positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
"query": "event.category:process and \n ( \n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or \n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\")\n )\n )\n",
"note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other\nvaluable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the captured data locally.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making\nfalse positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "event.category:process and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\")\n )\n )\n",
"references": [
"https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1",
"https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": false,
"name": "powershell.file.script_block_text",
"type": "unknown"
}
],
"risk_score": 73,
"rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889",
"setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```",
"severity": "high",
"tags": [
"Elastic",
@ -75,5 +88,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 5
"version": 7
}

19
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_screen_grabber.json
View file

@ -11,13 +11,26 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "PowerShell Suspicious Script with Screenshot Capabilities",
"note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes\nit available for use in various environments and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course\nof an operation.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the captured data locally.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false\npositives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
"query": "event.category:process and \n powershell.file.script_block_text : (\n CopyFromScreen and\n (\"System.Drawing.Bitmap\" or \"Drawing.Bitmap\")\n )\n",
"note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes\nit available for use in various environments and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course\nof an operation.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the captured data locally.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false\npositives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "event.category:process and\n powershell.file.script_block_text : (\n CopyFromScreen and\n (\"System.Drawing.Bitmap\" or \"Drawing.Bitmap\")\n )\n",
"references": [
"https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": false,
"name": "powershell.file.script_block_text",
"type": "unknown"
}
],
"risk_score": 47,
"rule_id": "959a7353-1129-4aa7-9084-30746b256a70",
"setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```",
"severity": "medium",
"tags": [
"Elastic",
@ -67,5 +80,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 4
"version": 6
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json
View file

@ -14,13 +14,38 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "Azure Event Hub Authorization Rule Created or Updated",
"note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"note": "",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)\n",
"references": [
"https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"
],
"related_integrations": [
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
}
],
"required_fields": [
{
"ecs": false,
"name": "azure.activitylogs.operation_name",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d",
"setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Elastic",
@ -64,5 +89,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 5
"version": 7
}

32
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json
View file

@ -12,13 +12,41 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Encrypting Files with WinRar or 7z",
"note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the\ncollected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is\nbeing exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the\nfile names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and\n`process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the\ncollected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is\nbeing exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the\nfile names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and\n`process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n process.pe.original_file_name == \"Command line RAR\") and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n or\n (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n /* uncomment if noisy for backup software related FPs */\n /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n",
"references": [
"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.code_signature.subject_name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.pe.original_file_name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "45d273fb-1dca-457d-9855-bcb302180c21",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
@ -53,5 +81,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 6
"version": 8
}

26
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json
View file

@ -12,12 +12,34 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Network Connection via Certutil",
"note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources\nin order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in\n[IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Retrieve the downloaded file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified\nanything suspicious, this alert can be closed as a false positive.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n",
"note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources\nin order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in\n[IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Retrieve the downloaded file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified\nanything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n",
"query": "sequence by process.entity_id\n [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n",
"references": [
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml",
"https://frsecure.com/malware-incident-response-playbook/"
],
"required_fields": [
{
"ecs": true,
"name": "destination.ip",
"type": "ip"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.entity_id",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8",
"severity": "low",
@ -46,5 +68,5 @@
}
],
"type": "eql",
"version": 8
"version": 10
}

24
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json
View file

@ -22,6 +22,28 @@
"https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html",
"https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "tls.server.hash.md5",
"type": "keyword"
},
{
"ecs": true,
"name": "tls.server.hash.sha1",
"type": "keyword"
},
{
"ecs": true,
"name": "tls.server.hash.sha256",
"type": "keyword"
}
],
"risk_score": 99,
"rule_id": "e7075e8d-a966-458e-a183-85cd331af255",
"severity": "critical",
@ -59,5 +81,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 6
"version": 7
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json
View file

@ -12,6 +12,33 @@
"name": "Connection to Commonly Abused Web Services",
"note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised\nsystem. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the\nlikelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can\nbe abused for exfiltration or command and control.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy\nfalse positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n",
"query": "network where network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Discord\\\\app-*\\\\Discord.exe\"\n )\n",
"required_fields": [
{
"ecs": true,
"name": "dns.question.name",
"type": "keyword"
},
{
"ecs": true,
"name": "network.protocol",
"type": "keyword"
},
{
"ecs": true,
"name": "process.executable",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "user.id",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32",
"severity": "low",
@ -68,5 +95,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 9
"version": 10
}

31
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_connection_attempt_by_non_ssh_root_session.json
View file

@ -14,12 +14,39 @@
"license": "Elastic License v2",
"name": "Suspicious Network Connection Attempt by Root",
"note": "## Triage and analysis\n### Investigating Connection Attempt by Non-SSH Root Session\nDetection alerts from this rule indicate a strange or abnormal outbound connection attempt by a privileged process. Here are some possible avenues of investigation:\n- Examine unusual and active sessions using commands such as 'last -a', 'netstat -a', and 'w -a'.\n- Analyze processes and command line arguments to detect anomalous process execution that may be acting as a listener.\n- Analyze anomalies in the use of files that do not normally initiate connections.\n- Examine processes utilizing the network that do not normally have network communication.\n",
"query": "sequence by process.entity_id with maxspan=1m\n[network where event.type == \"start\" and event.action == \"connection_attempted\" and user.id == \"0\" and \n not process.executable : (\"/bin/ssh\", \"/sbin/ssh\", \"/usr/lib/systemd/systemd\")]\n[process where event.action == \"session_id_change\" and user.id == \"0\"]\n",
"query": "sequence by process.entity_id with maxspan=1m\n[network where event.type == \"start\" and event.action == \"connection_attempted\" and user.id == \"0\" and \n not process.executable : (\"/bin/ssh\", \"/sbin/ssh\", \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\")]\n[process where event.action == \"session_id_change\" and user.id == \"0\" and\n not process.executable : (\"/bin/ssh\", \"/sbin/ssh\", \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\")]\n",
"references": [
"https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/",
"https://twitter.com/GossiTheDog/status/1522964028284411907",
"https://exatrack.com/public/Tricephalic_Hellkeeper.pdf"
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.entity_id",
"type": "keyword"
},
{
"ecs": true,
"name": "process.executable",
"type": "keyword"
},
{
"ecs": true,
"name": "user.id",
"type": "keyword"
}
],
"risk_score": 43,
"rule_id": "eb6a3790-d52d-11ec-8ce9-f661ea17fbce",
"severity": "medium",
@ -70,5 +97,5 @@
}
],
"type": "eql",
"version": 1
"version": 3
}

49
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json
View file

@ -1,49 +0,0 @@
{
"author": [
"Elastic"
],
"description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and it opens your network to a variety of abuses and malicious communications.",
"false_positives": [
"Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"filebeat-*",
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "DNS Activity to the Internet",
"query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns)\n and source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n",
"references": [
"https://www.us-cert.gov/ncas/alerts/TA15-240A",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf",
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
],
"risk_score": 47,
"rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154",
"severity": "medium",
"tags": [
"Elastic",
"Network",
"Threat Detection",
"Command and Control",
"Host"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": []
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 12
}

24
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json
View file

@ -17,6 +17,28 @@
"references": [
"https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20",
"severity": "medium",
@ -58,5 +80,5 @@
"value": 15
},
"type": "threshold",
"version": 5
"version": 6
}

34
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json
View file

@ -23,6 +23,38 @@
"https://www.justice.gov/opa/press-release/file/1084361/download",
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
],
"required_fields": [
{
"ecs": true,
"name": "destination.ip",
"type": "ip"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "network.protocol",
"type": "keyword"
},
{
"ecs": true,
"name": "source.ip",
"type": "ip"
},
{
"ecs": true,
"name": "url.extension",
"type": "keyword"
},
{
"ecs": true,
"name": "url.path",
"type": "wildcard"
}
],
"risk_score": 47,
"rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92",
"severity": "medium",
@ -52,5 +84,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 9
"version": 10
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_encrypted_channel_freesslcert.json
View file

@ -12,10 +12,33 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Connection to Commonly Abused Free SSL Certificate Providers",
"note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"query": "network where network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n \n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n \n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n",
"note": "",
"query": "network where network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n\n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n",
"required_fields": [
{
"ecs": true,
"name": "dns.question.name",
"type": "keyword"
},
{
"ecs": true,
"name": "network.protocol",
"type": "keyword"
},
{
"ecs": true,
"name": "process.executable",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "low",
"tags": [
"Elastic",
@ -43,5 +66,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 4
"version": 6
}

49
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json
View file

@ -16,6 +16,53 @@
"license": "Elastic License v2",
"name": "Potential Command and Control via Internet Explorer",
"query": "sequence by host.id, user.name with maxspan = 5s\n [library where dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\",\n \"*.sharepoint.com\",\n \"*.office365.com\",\n \"*.office.com\"\n )\n ] /* with runs=5 */\n",
"required_fields": [
{
"ecs": true,
"name": "dll.name",
"type": "keyword"
},
{
"ecs": true,
"name": "dns.question.name",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "host.id",
"type": "keyword"
},
{
"ecs": true,
"name": "network.protocol",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.name",
"type": "keyword"
},
{
"ecs": true,
"name": "user.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d",
"severity": "medium",
@ -66,5 +113,5 @@
}
],
"type": "eql",
"version": 5
"version": 6
}

39
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_linux_iodine_activity.json
View file

@ -18,6 +18,23 @@
"references": [
"https://code.kryo.se/iodine/"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2",
"severity": "high",
@ -25,9 +42,27 @@
"Elastic",
"Host",
"Linux",
"Threat Detection"
"Threat Detection",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1572",
"name": "Protocol Tunneling",
"reference": "https://attack.mitre.org/techniques/T1572/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 7
"version": 9
}

22
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_packetbeat_dns_tunneling.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ml_packetbeat_dns_tunneling.json
View file

@ -22,8 +22,26 @@
"Elastic",
"Network",
"Threat Detection",
"ML"
"ML",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1572",
"name": "Protocol Tunneling",
"reference": "https://attack.mitre.org/techniques/T1572/"
}
]
}
],
"type": "machine_learning",
"version": 4
"version": 5
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_packetbeat_rare_dns_question.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ml_packetbeat_rare_dns_question.json
View file

@ -22,8 +22,33 @@
"Elastic",
"Network",
"Threat Detection",
"ML"
"ML",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/",
"subtechnique": [
{
"id": "T1071.004",
"name": "DNS",
"reference": "https://attack.mitre.org/techniques/T1071/004/"
}
]
}
]
}
],
"type": "machine_learning",
"version": 4
"version": 5
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_packetbeat_rare_urls.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ml_packetbeat_rare_urls.json
View file

@ -22,8 +22,33 @@
"Elastic",
"Network",
"Threat Detection",
"ML"
"ML",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/",
"subtechnique": [
{
"id": "T1071.001",
"name": "Web Protocols",
"reference": "https://attack.mitre.org/techniques/T1071/001/"
}
]
}
]
}
],
"type": "machine_learning",
"version": 4
"version": 5
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_packetbeat_rare_user_agent.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ml_packetbeat_rare_user_agent.json
View file

@ -22,8 +22,33 @@
"Elastic",
"Network",
"Threat Detection",
"ML"
"ML",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/",
"subtechnique": [
{
"id": "T1071.001",
"name": "Web Protocols",
"reference": "https://attack.mitre.org/techniques/T1071/001/"
}
]
}
]
}
],
"type": "machine_learning",
"version": 4
"version": 5
}

19
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json
View file

@ -17,6 +17,23 @@
"license": "Elastic License v2",
"name": "IPSEC NAT Traversal Port Activity",
"query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500\n",
"required_fields": [
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "network.transport",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7",
"severity": "low",
@ -41,5 +58,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 8
"version": 9
}

24
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json
View file

@ -21,6 +21,28 @@
"https://unit42.paloaltonetworks.com/unit42-badpatch/",
"https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"
],
"required_fields": [
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "network.transport",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d",
"severity": "low",
@ -60,5 +82,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 8
"version": 9
}

12
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_forwarding_added_registry.json
View file

@ -12,13 +12,21 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Port Forwarding Rule Addition",
"note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to\nany other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box\nto access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred,\nand inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity\nand there are justifications for this configuration.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to\nany other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box\nto access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred,\nand inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity\nand there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n",
"references": [
"https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"
],
"required_fields": [
{
"ecs": true,
"name": "registry.path",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
@ -46,5 +54,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 7
"version": 9
}

34
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json
View file

@ -20,6 +20,38 @@
"references": [
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
],
"required_fields": [
{
"ecs": true,
"name": "destination.ip",
"type": "ip"
},
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "network.transport",
"type": "keyword"
},
{
"ecs": true,
"name": "source.ip",
"type": "ip"
}
],
"risk_score": 47,
"rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488",
"severity": "medium",
@ -76,5 +108,5 @@
"timeline_title": "Comprehensive Network Timeline",
"timestamp_override": "event.ingested",
"type": "query",
"version": 14
"version": 15
}

17
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_tunnel_plink.json
View file

@ -12,13 +12,26 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Potential Remote Desktop Tunneling Detected",
"note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases,\nranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would\nfilter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP\nconnections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated\nwith tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key\nmodification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases,\nranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would\nfilter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP\nconnections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated\nwith tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key\nmodification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "process where event.type in (\"start\", \"process_started\") and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n",
"references": [
"https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -46,5 +59,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 6
"version": 8
}

27
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json
View file

@ -12,13 +12,36 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Remote File Download via Desktopimgdownldr Utility",
"note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the\n`lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file\nfrom an internal system.\n- Retrieve the file and determine if it is malicious:\n - Identify the file type.\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions\nif necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the\n`lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file\nfrom an internal system.\n- Retrieve the file and determine if it is malicious:\n - Identify the file type.\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions\nif necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n",
"references": [
"https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.pe.original_file_name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
@ -46,5 +69,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 7
"version": 9
}

27
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json
View file

@ -12,14 +12,37 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Remote File Download via MpCmdRun",
"note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows\nDefender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files,\nincluding malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows\nDefender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files,\nincluding malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "process where event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n",
"references": [
"https://twitter.com/mohammadaskar2/status/1301263551638761477",
"https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.pe.original_file_name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
@ -47,5 +70,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 7
"version": 9
}

49
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json
View file

@ -14,6 +14,53 @@
"name": "Remote File Download via PowerShell",
"note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it\navailable for use in various environments and creates an attractive way for attackers to execute code and perform\nactions. This rule correlates network and file events to detect downloads of executable and script files performed using\nPowerShell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert\nif the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n",
"query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and \n not user.domain : \"NT AUTHORITY\"]\n [file where process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and \n not file.name : \"__PSScriptPolicy*.ps1\"]\n",
"required_fields": [
{
"ecs": true,
"name": "dns.question.name",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "file.extension",
"type": "keyword"
},
{
"ecs": true,
"name": "file.name",
"type": "keyword"
},
{
"ecs": true,
"name": "host.id",
"type": "keyword"
},
{
"ecs": true,
"name": "network.protocol",
"type": "keyword"
},
{
"ecs": true,
"name": "process.entity_id",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "user.domain",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d",
"severity": "medium",
@ -64,5 +111,5 @@
}
],
"type": "eql",
"version": 5
"version": 6
}

49
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_scripts.json
View file

@ -14,6 +14,53 @@
"name": "Remote File Download via Script Interpreter",
"note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs,\nsuch as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but\ncan also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the script file and the executable involved and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Manually analyze the script to determine if malicious capabilities are present.\n- Investigate whether the potential malware ran successfully, is active on the host, or was stopped by defenses.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives\n(B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n",
"query": "sequence by host.id, process.entity_id\n [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n",
"required_fields": [
{
"ecs": true,
"name": "destination.ip",
"type": "ip"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "file.extension",
"type": "keyword"
},
{
"ecs": true,
"name": "host.id",
"type": "keyword"
},
{
"ecs": true,
"name": "network.direction",
"type": "keyword"
},
{
"ecs": true,
"name": "network.protocol",
"type": "keyword"
},
{
"ecs": true,
"name": "network.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.entity_id",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "1d276579-3380-4095-ad38-e596a01bc64f",
"severity": "medium",
@ -42,5 +89,5 @@
}
],
"type": "eql",
"version": 5
"version": 6
}

24
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json
View file

@ -15,6 +15,28 @@
"references": [
"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "http.request.body.content",
"type": "wildcard"
},
{
"ecs": true,
"name": "network.protocol",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "22599847-5d13-48cb-8872-5796fee8692b",
"severity": "high",
@ -73,5 +95,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 6
"version": 7
}

22
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json
View file

@ -12,13 +12,31 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Remote File Copy via TeamViewer",
"note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various\nsupport activities. It is also frequently used by attackers and scammers to deploy malware interactively and other\nmalicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this\naccess.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct\nremote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various\nsupport activities. It is also frequently used by attackers and scammers to deploy malware interactively and other\nmalicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this\naccess.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct\nremote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "file where event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n",
"references": [
"https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "file.extension",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
@ -51,5 +69,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 7
"version": 9
}

19
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_telnet_port_activity.json
View file

@ -17,6 +17,23 @@
"license": "Elastic License v2",
"name": "Telnet Port Activity",
"query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23\n",
"required_fields": [
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "network.transport",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269",
"severity": "medium",
@ -73,5 +90,5 @@
"timeline_title": "Comprehensive Network Timeline",
"timestamp_override": "event.ingested",
"type": "query",
"version": 12
"version": 13
}

17
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tunneling_via_earthworm.json
View file

@ -11,14 +11,27 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Potential Protocol Tunneling via EarthWorm",
"note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "",
"query": "process where event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n",
"references": [
"http://rootkiter.com/EarthWorm/",
"https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
@ -46,5 +59,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 2
"version": 4
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_from_the_internet.json
View file

@ -20,6 +20,33 @@
"references": [
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
],
"required_fields": [
{
"ecs": true,
"name": "destination.ip",
"type": "ip"
},
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "network.transport",
"type": "keyword"
},
{
"ecs": true,
"name": "source.ip",
"type": "ip"
}
],
"risk_score": 73,
"rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8",
"severity": "high",
@ -65,5 +92,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 11
"version": 12
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_to_the_internet.json
View file

@ -20,6 +20,33 @@
"references": [
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
],
"required_fields": [
{
"ecs": true,
"name": "destination.ip",
"type": "ip"
},
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "network.transport",
"type": "keyword"
},
{
"ecs": true,
"name": "source.ip",
"type": "ip"
}
],
"risk_score": 47,
"rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf",
"severity": "medium",
@ -50,5 +77,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 11
"version": 12
}

24
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_access_to_browser_credentials_procargs.json
View file

@ -11,13 +11,26 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Access of Stored Browser Credentials",
"note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\", \n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\", \n \"/Users/*/Library/Cookies*\", \n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\", \n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\", \n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\", \n \"Login Data\",\n \"Cookies.binarycookies\", \n \"key4.db\", \n \"key3.db\", \n \"logins.json\", \n \"cookies.sqlite\"\n )\n",
"note": "",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\",\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\",\n \"/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies\",\n \"/Users/*/Library/Cookies*\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\",\n \"Login Data\",\n \"Cookies.binarycookies\",\n \"key4.db\",\n \"key3.db\",\n \"logins.json\",\n \"cookies.sqlite\"\n )\n",
"references": [
"https://securelist.com/calisto-trojan-for-macos/86543/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -35,6 +48,11 @@
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"reference": "https://attack.mitre.org/techniques/T1539/"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
@ -52,5 +70,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 2
"version": 4
}

25
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempted_bypass_of_okta_mfa.json
View file

@ -10,14 +10,33 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "Attempted Bypass of Okta MFA",
"note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"note": "",
"query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n",
"references": [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/"
],
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0",
"setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "high",
"tags": [
"Elastic",
@ -38,7 +57,7 @@
"technique": [
{
"id": "T1111",
"name": "Two-Factor Authentication Interception",
"name": "Multi-Factor Authentication Interception",
"reference": "https://attack.mitre.org/techniques/T1111/"
}
]
@ -46,5 +65,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 6
"version": 8
}

23
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempts_to_brute_force_okta_user_account.json
View file

@ -13,14 +13,33 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "Attempts to Brute Force an Okta User Account",
"note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"note": "",
"query": "event.dataset:okta.system and event.action:user.account.lock\n",
"references": [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/"
],
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49",
"setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Elastic",
@ -54,5 +73,5 @@
"value": 3
},
"type": "threshold",
"version": 5
"version": 7
}

39
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_aws_iam_assume_role_brute_force.json
View file

@ -11,14 +11,49 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS IAM Brute Force of Assume Role Policy",
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"note": "## Triage and analysis\n\n### Investigating AWS IAM Brute Force of Assume Role Policy\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar\nto an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot\ndo in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone\nwho needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated\nwith it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nAttackers may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or\nhijack the discovered role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Verify if the `RoleName` parameter contains a unique value in all requests or if the activity is potentially a brute\nforce attack.\n- Verify if the user account successfully updated a trust policy in the last 24 hours.\n- Examine whether this role existed in the environment by looking for past occurrences in your logs.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal\ntime of day?\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Verify the roles targeted in the failed attempts, and whether the subject role previously existed in the environment.\nIf only one role was targeted in the requests and that role previously existed, it may be a false positive, since\nautomations can continue targeting roles that existed in the environment in the past and cause false positives (FPs).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other\nIAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "event.dataset:aws.cloudtrail and\n event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and\n aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure\n",
"references": [
"https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities",
"https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"
],
"related_integrations": [
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
}
],
"required_fields": [
{
"ecs": false,
"name": "aws.cloudtrail.error_code",
"type": "keyword"
},
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
},
{
"ecs": true,
"name": "event.provider",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636",
"setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Elastic",
@ -50,5 +85,5 @@
"value": 25
},
"type": "threshold",
"version": 5
"version": 7
}

31
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_azure_full_network_packet_capture_detected.json
View file

@ -14,13 +14,38 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "Azure Full Network Packet Capture Detected",
"note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n (\n \"MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\"\n ) and \nevent.outcome:(Success or success)\n",
"note": "",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n (\n \"MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\"\n ) and\nevent.outcome:(Success or success)\n",
"references": [
"https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"
],
"related_integrations": [
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
}
],
"required_fields": [
{
"ecs": false,
"name": "azure.activitylogs.operation_name",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f",
"setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Elastic",
@ -49,5 +74,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 3
}

37
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cmdline_dump_tool.json
View file

@ -12,13 +12,46 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Potential Credential Access via Windows Utilities",
"note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible\nfor enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles\npassword changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and\ngroup membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active\nDirectory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file \nmodifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious\nmust be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is\n being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "process where event.type in (\"start\", \"process_started\") and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n",
"references": [
"https://lolbas-project.github.io/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.command_line",
"type": "wildcard"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.executable",
"type": "keyword"
},
{
"ecs": true,
"name": "process.pe.original_file_name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "00140285-b827-4aee-aa09-8113f58a08f3",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -58,5 +91,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 6
"version": 8
}

24
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_collection_sensitive_files.json
View file

@ -15,6 +15,28 @@
"references": [
"https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab",
"severity": "medium",
@ -74,5 +96,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

24
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cookies_chromium_browsers_debugging.json
View file

@ -17,16 +17,34 @@
"license": "Elastic License v2",
"max_signals": 33,
"name": "Potential Cookies Theft via Browser Debugging",
"note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\", \n \"--remote-debugging-targets=*\", \n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n",
"note": "",
"query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n",
"references": [
"https://github.com/defaultnamehere/cookie_crimes",
"https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
"https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md",
"https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
@ -56,5 +74,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 2
"version": 4
}

22
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_copy_ntds_sam_volshadowcp_cmdline.json
View file

@ -14,14 +14,32 @@
"license": "Elastic License v2",
"max_signals": 33,
"name": "NTDS or SAM Database File Copied",
"note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "",
"query": "process where event.type in (\"start\", \"process_started\") and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n",
"references": [
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.pe.original_file_name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -56,5 +74,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 6
"version": 8
}

49
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credential_dumping_msbuild.json
View file

@ -14,8 +14,51 @@
],
"language": "eql",
"license": "Elastic License v2",
"name": "Microsoft Build Engine Loading Windows Credential Libraries",
"query": "sequence by process.entity_id\n [process where event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [library where dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\")]\n",
"name": "Potential Credential Access via Trusted Developer Utility",
"note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML\nschema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was\nintroduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will\ncompile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass\napplication control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of\ncredential access activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file \nmodifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target\nhost after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n",
"query": "sequence by process.entity_id\n [process where event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n",
"required_fields": [
{
"ecs": true,
"name": "dll.name",
"type": "keyword"
},
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "file.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.entity_id",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.pe.original_file_name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5",
"severity": "high",
@ -44,5 +87,5 @@
}
],
"type": "eql",
"version": 9
"version": 11
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credentials_keychains.json
View file

@ -11,14 +11,37 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Access to Keychain Credentials Directories",
"note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable : \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\"\n",
"note": "",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable :\n (\n \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\",\n \"/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise\",\n \"/opt/jc/bin/jumpcloud-agent\"\n ) and\n not process.executable : \"/opt/jc/bin/jumpcloud-agent\"\n",
"references": [
"https://objective-see.com/blog/blog_0x25.html",
"https://securelist.com/calisto-trojan-for-macos/86543/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.executable",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.executable",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -53,5 +76,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 6
"version": 8
}

34
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dcsync_replication_rights.json
View file

File diff suppressed because one or more lines are too long

17
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_disable_kerberos_preauth.json
View file

@ -11,15 +11,28 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "Kerberos Pre-authentication Disabled for User",
"note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting\naccess to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request\n(AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to\nsuccessfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server\nResponse (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is\nsigned with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that\nif the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that\ncan be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team\nshould map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nAccount Management > \nAudit User Account Management (Success,Failure)\n```\n",
"note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting\naccess to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request\n(AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to\nsuccessfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server\nResponse (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is\nsigned with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that\nif the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that\ncan be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team\nshould map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "event.code:4738 and message:\"'Don't Require Preauth' - Enabled\"\n",
"references": [
"https://harmj0y.medium.com/roasting-as-reps-e6179a65216b",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738",
"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"
],
"required_fields": [
{
"ecs": true,
"name": "event.code",
"type": "keyword"
},
{
"ecs": true,
"name": "message",
"type": "match_only_text"
}
],
"risk_score": 47,
"rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1",
"setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```",
"severity": "medium",
"tags": [
"Elastic",
@ -54,5 +67,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 3
"version": 5
}

17
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json
View file

@ -12,14 +12,27 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Creation or Modification of Domain Backup DPAPI private key",
"note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.",
"query": "file where event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n",
"references": [
"https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/",
"https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "file.name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -59,5 +72,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 8
"version": 10
}

22
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dump_registry_hives.json
View file

@ -12,13 +12,31 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Credential Acquisition via Registry Hive Dumping",
"note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached\ncredentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the\ncompromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether\nthe user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached\ncredentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the\ncompromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether\nthe user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n",
"references": [
"https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.pe.original_file_name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -58,5 +76,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 6
"version": 8
}

24
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_hashes_bi_cmds.json
View file

@ -16,6 +16,28 @@
"https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored",
"https://www.unix.com/man-page/osx/8/mkpassdb/"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3",
"severity": "high",
@ -45,5 +67,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

17
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_keychain_security.json
View file

@ -11,13 +11,26 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Dumping of Keychain Content via Security Command",
"note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "",
"query": "process where event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n",
"references": [
"https://ss64.com/osx/security.html"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -52,5 +65,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 2
"version": 4
}

78
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_endgame_cred_dumping_detected.json Normal file
View file

@ -0,0 +1,78 @@
{
"author": [
"Elastic"
],
"description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
"from": "now-15m",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"max_signals": 10000,
"name": "Credential Dumping - Detected - Elastic Endgame",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n",
"required_fields": [
{
"ecs": false,
"name": "endgame.event_subtype_full",
"type": "unknown"
},
{
"ecs": false,
"name": "endgame.metadata.type",
"type": "unknown"
},
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.kind",
"type": "keyword"
},
{
"ecs": true,
"name": "event.module",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e",
"severity": "high",
"tags": [
"Elastic",
"Elastic Endgame",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.001",
"name": "LSASS Memory",
"reference": "https://attack.mitre.org/techniques/T1003/001/"
}
]
}
]
}
],
"type": "query",
"version": 9
}

78
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_endgame_cred_dumping_prevented.json Normal file
View file

@ -0,0 +1,78 @@
{
"author": [
"Elastic"
],
"description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
"from": "now-15m",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"max_signals": 10000,
"name": "Credential Dumping - Prevented - Elastic Endgame",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n",
"required_fields": [
{
"ecs": false,
"name": "endgame.event_subtype_full",
"type": "unknown"
},
{
"ecs": false,
"name": "endgame.metadata.type",
"type": "unknown"
},
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.kind",
"type": "keyword"
},
{
"ecs": true,
"name": "event.module",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13",
"severity": "medium",
"tags": [
"Elastic",
"Elastic Endgame",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.001",
"name": "LSASS Memory",
"reference": "https://attack.mitre.org/techniques/T1003/001/"
}
]
}
]
}
],
"type": "query",
"version": 9
}

38
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iam_user_addition_to_group.json
View file

@ -15,13 +15,43 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS IAM User Addition to Group",
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"note": "## Triage and analysis\n\n### Investigating AWS IAM User Addition to Group\n\nAWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify\nwho can access which services and resources, and under which conditions. With IAM policies, you manage permissions to\nyour workforce and systems to ensure least-privilege permissions.\n\nThis rule looks for the addition of users to a specified user group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher\nconfidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions \u2014 to\nreduce noise from onboarding processes and administrator activities.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other\nIAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success\n",
"references": [
"https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"
],
"related_integrations": [
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
},
{
"ecs": true,
"name": "event.provider",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0",
"setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "low",
"tags": [
"Elastic",
@ -29,7 +59,9 @@
"AWS",
"Continuous Monitoring",
"SecOps",
"Identity and Access"
"Identity and Access",
"Credential Access",
"Persistence"
],
"threat": [
{
@ -59,5 +91,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 6
"version": 8
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_apppoolsa_pwd_appcmd.json
View file

@ -13,13 +13,36 @@
"license": "Elastic License v2",
"max_signals": 33,
"name": "Microsoft IIS Service Account Password Dumped",
"note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and \n process.args : \"/list\" and process.args : \"/text*password\"\n",
"note": "",
"query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n",
"references": [
"https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.pe.original_file_name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -47,5 +70,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 5
"version": 7
}

27
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_connectionstrings_dumping.json
View file

@ -13,14 +13,37 @@
"license": "Elastic License v2",
"max_signals": 33,
"name": "Microsoft IIS Connection Strings Decryption",
"note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "",
"query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n",
"references": [
"https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.pe.original_file_name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -48,5 +71,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 5
"version": 7
}

44
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_kerberoasting_unusual_process.json
View file

@ -15,10 +15,48 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Kerberos Traffic from Unusual Process",
"note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for\nclient/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of\ntraffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of\nKerberos tickets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a\nnon-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"query": "network where event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and\n process.executable != \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert false positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n",
"note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for\nclient/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of\ntraffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of\nKerberos tickets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a\nnon-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "network where event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\") and\n destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert false positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n",
"required_fields": [
{
"ecs": true,
"name": "destination.address",
"type": "keyword"
},
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "network.direction",
"type": "keyword"
},
{
"ecs": true,
"name": "process.executable",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "source.port",
"type": "long"
}
],
"risk_score": 47,
"rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
@ -46,5 +84,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 7
"version": 9
}

26
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_kerberosdump_kcc.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets.",
"description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.",
"from": "now-9m",
"index": [
"auditbeat-*",
@ -16,6 +16,28 @@
"https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py",
"https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe",
"severity": "high",
@ -57,5 +79,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 4
"version": 6
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_key_vault_modified.json
View file

@ -14,14 +14,39 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "Azure Key Vault Modified",
"note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"note": "",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)\n",
"references": [
"https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
"https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault"
],
"related_integrations": [
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
}
],
"required_fields": [
{
"ecs": false,
"name": "azure.activitylogs.operation_name",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec",
"setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Elastic",
@ -57,5 +82,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 5
"version": 7
}

27
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_keychain_pwd_retrieval_security_cmd.json
View file

@ -14,7 +14,7 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Keychain Password Retrieval via Command Line",
"note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "",
"query": "process where event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n",
"references": [
"https://www.netmeister.org/blog/keychain-passwords.html",
@ -22,8 +22,31 @@
"https://ss64.com/osx/security.html",
"https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.executable",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -70,5 +93,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 3
"version": 5
}

84
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_handle_via_malseclogon.json Normal file
View file

@ -0,0 +1,84 @@
{
"author": [
"Elastic"
],
"description": "Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Suspicious LSASS Access via MalSecLogon",
"note": "",
"query": "process where event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n",
"references": [
"https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"
],
"required_fields": [
{
"ecs": true,
"name": "event.code",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": false,
"name": "winlog.event_data.CallTrace",
"type": "unknown"
},
{
"ecs": false,
"name": "winlog.event_data.GrantedAccess",
"type": "unknown"
},
{
"ecs": false,
"name": "winlog.event_data.TargetImage",
"type": "unknown"
}
],
"risk_score": 73,
"rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.001",
"name": "LSASS Memory",
"reference": "https://attack.mitre.org/techniques/T1003/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 2
}

24
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_file_created.json
View file

@ -12,14 +12,32 @@
"language": "eql",
"license": "Elastic License v2",
"name": "LSASS Memory Dump Creation",
"note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"query": "file where file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\")\n",
"note": "",
"query": "file where file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\", \"?:\\\\Windows\\\\System32\\\\dllhost.exe\") and\n file.path : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\")) and\n\n not (process.executable : \"?:\\\\WINDOWS\\\\system32\\\\WerFault.exe\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\")\n",
"references": [
"https://github.com/outflanknl/Dumpert",
"https://github.com/hoangprod/AndrewSpecial"
],
"required_fields": [
{
"ecs": true,
"name": "file.name",
"type": "keyword"
},
{
"ecs": true,
"name": "file.path",
"type": "keyword"
},
{
"ecs": true,
"name": "process.executable",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -56,5 +74,5 @@
"timeline_title": "Comprehensive File Timeline",
"timestamp_override": "event.ingested",
"type": "eql",
"version": 9
"version": 11
}

37
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_handle_access.json
View file

@ -11,7 +11,7 @@
"language": "eql",
"license": "Elastic License v2",
"name": "LSASS Memory Dump Handle Access",
"note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible\nfor enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles\npassword changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on,the system\ngenerates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single\nsign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be\nharvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using \n[alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment,\nconsider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on\nthe correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible\nfor enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles\npassword changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on,the system\ngenerates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single\nsign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be\nharvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using\n[alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment,\nconsider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on\nthe correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"query": "any where event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\")\n",
"references": [
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656",
@ -20,8 +20,41 @@
"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html",
"http://findingbad.blogspot.com/2017/"
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.code",
"type": "keyword"
},
{
"ecs": false,
"name": "winlog.event_data.AccessMask",
"type": "unknown"
},
{
"ecs": false,
"name": "winlog.event_data.AccessMaskDescription",
"type": "unknown"
},
{
"ecs": false,
"name": "winlog.event_data.ObjectName",
"type": "unknown"
},
{
"ecs": false,
"name": "winlog.event_data.ProcessName",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de",
"setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -56,5 +89,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 2
"version": 4
}

22
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mfa_push_brute_force.json
View file

@ -10,13 +10,31 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Potential Abuse of Repeated MFA Push Notifications",
"note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"note": "",
"query": "sequence by user.email with maxspan=10m\n [any where event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.module == \"okta\" and event.action == \"user.authentication.sso\"]\n",
"references": [
"https://www.mandiant.com/resources/russian-targeting-gov-business"
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.module",
"type": "keyword"
},
{
"ecs": true,
"name": "user.email",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7",
"setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "high",
"tags": [
"Elastic",
@ -44,5 +62,5 @@
}
],
"type": "eql",
"version": 2
"version": 4
}

38
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_brute_force_user_account_attempt.json
View file

@ -16,13 +16,47 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "Attempts to Brute Force a Microsoft 365 User Account",
"note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"note": "",
"query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo)\n",
"references": [
"https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"
],
"related_integrations": [
{
"package": "o365",
"version": "1.3.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.provider",
"type": "keyword"
},
{
"ecs": false,
"name": "o365.audit.LogonError",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d",
"setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "high",
"tags": [
"Elastic",
@ -56,5 +90,5 @@
"value": 10
},
"type": "threshold",
"version": 7
"version": 9
}

35
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_potential_password_spraying_attack.json
View file

@ -14,10 +14,39 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "Potential Password Spraying of Microsoft 365 User Accounts",
"note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and \nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n",
"note": "",
"query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n",
"related_integrations": [
{
"package": "o365",
"version": "1.3.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.provider",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d",
"setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "high",
"tags": [
"Elastic",
@ -51,5 +80,5 @@
"value": 25
},
"type": "threshold",
"version": 6
"version": 8
}

17
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_memssp_default_logs.json
View file

@ -12,10 +12,23 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Mimikatz Memssp Log File Detected",
"note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached\ncredentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained\nan initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects\nsuch as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp\nmodule, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer\naccount password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is\n being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached\ncredentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained\nan initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects\nsuch as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp\nmodule, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer\naccount password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is\n being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "file where file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n",
"required_fields": [
{
"ecs": true,
"name": "file.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -43,5 +56,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 6
"version": 8
}

17
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_powershell_module.json
View file

@ -11,14 +11,27 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "Potential Invoke-Mimikatz PowerShell Script",
"note": "## Triage and analysis\n\n### Investigating Mimikatz PowerShell Activity\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached\ncredentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained\nan initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects\nsuch as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump\ncredentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be\ntreated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the\n \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the\ntarget host.\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide\nthis capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
"note": "## Triage and analysis\n\n### Investigating Mimikatz PowerShell Activity\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached\ncredentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained\nan initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects\nsuch as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump\ncredentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be\ntreated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the\n \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the\ntarget host.\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide\nthis capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "event.category:process and\npowershell.file.script_block_text:(\n (DumpCreds and\n DumpCerts) or\n \"sekurlsa::logonpasswords\" or\n (\"crypto::certificates\" and\n \"CERT_SYSTEM_STORE_LOCAL_MACHINE\")\n)\n",
"references": [
"https://attack.mitre.org/software/S0002/",
"https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": false,
"name": "powershell.file.script_block_text",
"type": "unknown"
}
],
"risk_score": 73,
"rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46",
"setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```",
"severity": "high",
"tags": [
"Elastic",
@ -53,5 +66,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 3
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mitm_localhost_webproxy.json
View file

@ -19,6 +19,33 @@
"https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/",
"https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.executable",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f",
"severity": "medium",
@ -48,5 +75,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 2
"version": 3
}

22
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_spike_in_failed_logon_events.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_auth_spike_in_failed_logon_events.json
View file

@ -22,8 +22,26 @@
"Elastic",
"Authentication",
"Threat Detection",
"ML"
"ML",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/"
}
]
}
],
"type": "machine_learning",
"version": 2
"version": 3
}

22
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_spike_in_logon_events.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_auth_spike_in_logon_events.json
View file

@ -22,8 +22,26 @@
"Elastic",
"Authentication",
"Threat Detection",
"ML"
"ML",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/"
}
]
}
],
"type": "machine_learning",
"version": 1
"version": 2
}

22
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_spike_in_logon_events_from_a_source_ip.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.json
View file

@ -22,8 +22,26 @@
"Elastic",
"Authentication",
"Threat Detection",
"ML"
"ML",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/"
}
]
}
],
"type": "machine_learning",
"version": 2
"version": 3
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_metadata_process.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_linux_anomalous_metadata_process.json
View file

@ -22,8 +22,33 @@
"Host",
"Linux",
"Threat Detection",
"ML"
"ML",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1552",
"name": "Unsecured Credentials",
"reference": "https://attack.mitre.org/techniques/T1552/",
"subtechnique": [
{
"id": "T1552.005",
"name": "Cloud Instance Metadata API",
"reference": "https://attack.mitre.org/techniques/T1552/005/"
}
]
}
]
}
],
"type": "machine_learning",
"version": 4
"version": 5
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_metadata_user.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_linux_anomalous_metadata_user.json
View file

@ -22,8 +22,33 @@
"Host",
"Linux",
"Threat Detection",
"ML"
"ML",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1552",
"name": "Unsecured Credentials",
"reference": "https://attack.mitre.org/techniques/T1552/",
"subtechnique": [
{
"id": "T1552.005",
"name": "Cloud Instance Metadata API",
"reference": "https://attack.mitre.org/techniques/T1552/005/"
}
]
}
]
}
],
"type": "machine_learning",
"version": 4
"version": 5
}

22
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_suspicious_login_activity.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_suspicious_login_activity.json
View file

@ -22,8 +22,26 @@
"Elastic",
"Authentication",
"Threat Detection",
"ML"
"ML",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/"
}
]
}
],
"type": "machine_learning",
"version": 5
"version": 6
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_metadata_process.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_windows_anomalous_metadata_process.json
View file

@ -22,8 +22,33 @@
"Host",
"Windows",
"Threat Detection",
"ML"
"ML",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1552",
"name": "Unsecured Credentials",
"reference": "https://attack.mitre.org/techniques/T1552/",
"subtechnique": [
{
"id": "T1552.005",
"name": "Cloud Instance Metadata API",
"reference": "https://attack.mitre.org/techniques/T1552/005/"
}
]
}
]
}
],
"type": "machine_learning",
"version": 4
"version": 5
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_metadata_user.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_windows_anomalous_metadata_user.json
View file

@ -22,8 +22,33 @@
"Host",
"Windows",
"Threat Detection",
"ML"
"ML",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1552",
"name": "Unsecured Credentials",
"reference": "https://attack.mitre.org/techniques/T1552/",
"subtechnique": [
{
"id": "T1552.005",
"name": "Cloud Instance Metadata API",
"reference": "https://attack.mitre.org/techniques/T1552/005/"
}
]
}
]
}
],
"type": "machine_learning",
"version": 4
"version": 5
}

34
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mod_wdigest_security_provider.json
View file

@ -12,15 +12,43 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Modification of WDigest Security Provider",
"note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send\ncleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications\nbased on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default,\nwhich is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the\n`HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is\ncommonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should\ntreat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target\nhost after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and\nmonitored by the security team, as these modifications expose the entire domain to credential compromises and\nconsequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"query": "registry where event.type : (\"creation\", \"change\") and\n registry.path : \n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n and registry.data.strings : (\"1\", \"0x00000001\")\n",
"note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send\ncleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications\nbased on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default,\nwhich is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the\n`HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is\ncommonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should\ntreat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target\nhost after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and\nmonitored by the security team, as these modifications expose the entire domain to credential compromises and\nconsequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "registry where event.type : (\"creation\", \"change\") and\n registry.path :\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n",
"references": [
"https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html",
"https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019",
"https://frsecure.com/compromised-credentials-response-playbook"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.executable",
"type": "keyword"
},
{
"ecs": true,
"name": "registry.data.strings",
"type": "wildcard"
},
{
"ecs": true,
"name": "registry.path",
"type": "keyword"
},
{
"ecs": true,
"name": "user.id",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -55,5 +83,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 4
"version": 6
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_moving_registry_hive_via_smb.json
View file

@ -12,6 +12,33 @@
"name": "Windows Registry File Creation in SMB Share",
"note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the\ncase for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain\ncached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to\ndecrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not\nmonitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive\nfile on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of\nactivity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n",
"query": "file where event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size >= 30000 and\n process.pid == 4 and user.id : \"s-1-5-21*\"\n",
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": false,
"name": "file.Ext.header_bytes",
"type": "unknown"
},
{
"ecs": true,
"name": "file.size",
"type": "long"
},
{
"ecs": true,
"name": "process.pid",
"type": "long"
},
{
"ecs": true,
"name": "user.id",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494",
"severity": "medium",
@ -71,5 +98,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 2
"version": 3
}

28
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_okta_brute_force_or_password_spraying.json
View file

@ -13,14 +13,38 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "Okta Brute Force or Password Spraying Attack",
"note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"note": "",
"query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n",
"references": [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/"
],
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0",
"setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Elastic",
@ -54,5 +78,5 @@
"value": 25
},
"type": "threshold",
"version": 5
"version": 7
}

19
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_persistence_network_logon_provider_modification.json
View file

@ -18,6 +18,23 @@
"https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
"https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"
],
"required_fields": [
{
"ecs": true,
"name": "registry.data.strings",
"type": "wildcard"
},
{
"ecs": true,
"name": "registry.path",
"type": "keyword"
},
{
"ecs": true,
"name": "user.id",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936",
"severity": "medium",
@ -63,5 +80,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 3
"version": 4
}

17
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_posh_minidump.json
View file

@ -14,15 +14,28 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "PowerShell MiniDump Script",
"note": "## Triage and analysis\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other\nprivileged information stored in the process memory.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false\npositives unlikely.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
"note": "## Triage and analysis\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other\nprivileged information stored in the process memory.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false\npositives unlikely.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)\n",
"references": [
"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1",
"https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1",
"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": false,
"name": "powershell.file.script_block_text",
"type": "unknown"
}
],
"risk_score": 73,
"rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77",
"setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```",
"severity": "high",
"tags": [
"Elastic",
@ -79,5 +92,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 7
"version": 9
}

19
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_posh_request_ticket.json
View file

@ -11,14 +11,27 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "PowerShell Kerberos Ticket Request",
"note": "## Triage and analysis\n\n### Investigating Explicit PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making\nit available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute\nforce to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to\nperform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769)\nrelated to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request\nKerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password\nrequirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
"query": "event.category:process and \n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n )\n",
"note": "## Triage and analysis\n\n### Investigating Explicit PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making\nit available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute\nforce to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to\nperform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769)\nrelated to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request\nKerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password\nrequirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "event.category:process and\n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n )\n",
"references": [
"https://cobalt.io/blog/kerberoast-attack-techniques",
"https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": false,
"name": "powershell.file.script_block_text",
"type": "unknown"
}
],
"risk_score": 47,
"rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39",
"setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```",
"severity": "medium",
"tags": [
"Elastic",
@ -80,5 +93,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 3
"version": 5
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_potential_lsa_memdump_via_mirrordump.json
View file

@ -11,13 +11,36 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Potential Credential Access via DuplicateHandle in LSASS",
"note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"query": "process where event.code == \"10\" and \n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n",
"note": "",
"query": "process where event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n",
"references": [
"https://github.com/CCob/MirrorDump"
],
"required_fields": [
{
"ecs": true,
"name": "event.code",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": false,
"name": "winlog.event_data.CallTrace",
"type": "unknown"
},
{
"ecs": false,
"name": "winlog.event_data.GrantedAccess",
"type": "unknown"
}
],
"risk_score": 47,
"rule_id": "02a4576a-7480-4284-9327-548a806b5e48",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
@ -52,5 +75,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 3
"version": 5
}

24
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_potential_ssh_bruteforce.json
View file

@ -15,6 +15,28 @@
"references": [
"https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0",
"severity": "medium",
@ -49,5 +71,5 @@
"value": 20
},
"type": "threshold",
"version": 2
"version": 3
}

22
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_promt_for_pwd_via_osascript.json
View file

@ -11,14 +11,32 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Prompt for Credentials with OSASCRIPT",
"note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "",
"query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n",
"references": [
"https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py",
"https://ss64.com/osx/osascript.html"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.command_line",
"type": "wildcard"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -53,5 +71,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 4
"version": 6
}

19
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_relay_ntlm_auth_via_http_spoolss.json
View file

@ -18,6 +18,23 @@
"https://github.com/topotam/PetitPotam",
"https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "4682fd2c-cfae-47ed-a543-9bed37657aa6",
"severity": "high",
@ -46,5 +63,5 @@
}
],
"type": "eql",
"version": 1
"version": 2
}

69
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_remote_sam_secretsdump.json
View file

@ -12,13 +12,76 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Potential Remote Credential Access via Registry",
"note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, \nsuch as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain\ncached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to\ndecrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped\ncredentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious\nmust be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThis rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be\ncollected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : \"S-1-5-21-*\" and file.size >= 30000]\n",
"note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material,\nsuch as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain\ncached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to\ndecrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped\ncredentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious\nmust be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : \"S-1-5-21-*\" and file.size >= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n",
"references": [
"https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
},
{
"ecs": false,
"name": "file.Ext.header_bytes",
"type": "unknown"
},
{
"ecs": true,
"name": "file.path",
"type": "keyword"
},
{
"ecs": true,
"name": "file.size",
"type": "long"
},
{
"ecs": true,
"name": "host.id",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "source.ip",
"type": "ip"
},
{
"ecs": true,
"name": "user.domain",
"type": "keyword"
},
{
"ecs": true,
"name": "user.id",
"type": "keyword"
},
{
"ecs": true,
"name": "user.name",
"type": "keyword"
},
{
"ecs": false,
"name": "winlog.logon.type",
"type": "unknown"
}
],
"risk_score": 73,
"rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8",
"setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be\ncollected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
@ -68,5 +131,5 @@
}
],
"type": "eql",
"version": 2
"version": 4
}

39
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_root_console_failure_brute_force.json
View file

@ -14,13 +14,48 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS Management Console Brute Force of Root User Identity",
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"note": "",
"query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure\n",
"references": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
],
"related_integrations": [
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
}
],
"required_fields": [
{
"ecs": false,
"name": "aws.cloudtrail.user_identity.type",
"type": "keyword"
},
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
},
{
"ecs": true,
"name": "event.provider",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef",
"setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "high",
"tags": [
"Elastic",
@ -54,5 +89,5 @@
"value": 10
},
"type": "threshold",
"version": 3
"version": 5
}

27
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_saved_creds_vaultcmd.json
View file

@ -12,14 +12,37 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Searching for Saved Credentials via VaultCmd",
"note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
"note": "",
"query": "process where event.type in (\"start\", \"process_started\") and\n (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n",
"references": [
"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
"https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.pe.original_file_name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
@ -59,5 +82,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 4
"version": 6
}

Some files were not shown because too many files have changed in this diff Show more