github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security Solution] Remove detection rules distributed via the file system (#143839)

Browse source
This commit is contained in:
Dmitrii Shevchenko 2022-12-06 16:12:52 +01:00 committed by GitHub
parent da793b7a3c
commit 3e499922ff
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
757 changed files with 390 additions and 61057 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.buildkite/scripts/pipelines/pull_request/pipeline.ts
View file

@ -63,6 +63,7 @@ const uploadPipeline = (pipelineContent: string | object) => {
/^x-pack\/plugins\/triggers_actions_ui\/public\/application\/sections\/action_connector_form/,
/^x-pack\/plugins\/triggers_actions_ui\/public\/application\/context\/actions_connectors_context\.tsx/,
/^x-pack\/test\/security_solution_cypress/,
/^fleet_packages\.json/, // It contains reference to prebuilt detection rules, we want to run security solution tests if it changes
])) ||
GITHUB_PR_LABELS.includes('ci:all-cypress-suites')
) {

5
.github/CODEOWNERS vendored
View file

@ -642,11 +642,6 @@ x-pack/plugins/threat_intelligence @elastic/protections-experience
x-pack/plugins/security_solution/public/threat_intelligence @elastic/protections-experience
x-pack/test/threat_intelligence_cypress @elastic/protections-experience
# Security Intelligence And Analytics
/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules @elastic/security-intelligence-analytics
# Security Asset Management
/x-pack/plugins/osquery @elastic/security-asset-management
/x-pack/plugins/security_solution/common/detection_engine/rule_response_actions @elastic/security-asset-management

64
NOTICE.txt
View file

@ -161,70 +161,6 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
---
Detection Rules
Copyright 2021 Elasticsearch B.V.
---
This product bundles rules based on https://github.com/BlueTeamLabs/sentinel-attack
which is available under a "MIT" license. The rules based on this license are:
- "Potential Evasion via Filter Manager" (06dceabf-adca-48af-ac79-ffdf4c3b1e9a)
- "Process Discovery via Tasklist" (cc16f774-59f9-462d-8b98-d27ccd4519ec)
- "Potential Modification of Accessibility Binaries" (7405ddf1-6c8e-41ce-818f-48bea6bcaed8)
- "Potential Application Shimming via Sdbinst" (fd4a992d-6130-4802-9ff8-829b89ae801f)
- "Trusted Developer Application Usage" (9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1)
MIT License
Copyright (c) 2019 Edoardo Gerosa, Olaf Hartong
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
---
This product bundles rules based on https://github.com/FSecureLABS/leonidas
which is available under a "MIT" license. The rules based on this license are:
- "AWS Access Secret in Secrets Manager" (a00681e3-9ed6-447c-ab2c-be648821c622)
MIT License
Copyright (c) 2020 F-Secure LABS
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
---
MIT License

6
fleet_packages.json
View file

@ -38,5 +38,9 @@
{
"name": "synthetics",
"version": "0.11.4"
},
{
"name": "security_detection_engine",
"version": "8.4.1"
}
]
]

2
src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker
View file

@ -392,8 +392,6 @@ kibana_vars=(
xpack.securitySolution.maxTimelineImportExportSize
xpack.securitySolution.maxTimelineImportPayloadBytes
xpack.securitySolution.packagerTaskInterval
xpack.securitySolution.prebuiltRulesFromFileSystem
xpack.securitySolution.prebuiltRulesFromSavedObjects
xpack.spaces.maxSpaces
xpack.task_manager.max_attempts
xpack.task_manager.max_poll_inactivity_cycles

20
x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/model/prebuilt_rule.mock.ts
View file

@ -19,6 +19,26 @@ export const getPrebuiltRuleMock = (): PrebuiltRuleToInstall => ({
version: 1,
});
export const getPrebuiltRuleWithExceptionsMock = (): PrebuiltRuleToInstall => ({
description: 'A rule with an exception list',
name: 'A rule with an exception list',
query: 'user.name: root or user.name: admin',
severity: 'high',
type: 'query',
risk_score: 42,
language: 'kuery',
rule_id: 'rule-with-exceptions',
exceptions_list: [
{
id: 'endpoint_list',
list_id: 'endpoint_list',
namespace_type: 'agnostic',
type: 'endpoint',
},
],
version: 2,
});
export const getPrebuiltThreatMatchRuleMock = (): PrebuiltRuleToInstall => ({
description: 'some description',
name: 'Query with a rule id',

2
x-pack/plugins/security_solution/server/config.mock.ts
View file

@ -26,8 +26,6 @@ export const createMockConfig = (): ConfigType => {
packagerTaskInterval: '60s',
alertMergeStrategy: 'missingFields',
alertIgnoreFields: [],
prebuiltRulesFromFileSystem: true,
prebuiltRulesFromSavedObjects: false,
experimentalFeatures: parseExperimentalConfigValue(enableExperimental),
};

6
x-pack/plugins/security_solution/server/config.ts
View file

@ -109,12 +109,6 @@ export const configSchema = schema.object({
* Artifacts Configuration
*/
packagerTaskInterval: schema.string({ defaultValue: '60s' }),
/**
* Detection prebuilt rules
*/
prebuiltRulesFromFileSystem: schema.boolean({ defaultValue: true }),
prebuiltRulesFromSavedObjects: schema.boolean({ defaultValue: true }),
});
export type ConfigSchema = TypeOf<typeof configSchema>;

2
x-pack/plugins/security_solution/server/index.ts
View file

@ -50,6 +50,8 @@ export const config: PluginConfigDescriptor<ConfigSchema> = {
{ level: 'critical' }
),
unused('ruleExecutionLog.underlyingClient', { level: 'warning' }),
unused('prebuiltRulesFromFileSystem', { level: 'warning' }),
unused('prebuiltRulesFromSavedObjects', { level: 'warning' }),
],
};

6
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/get_prebuilt_rules_and_timelines_status/route.ts
View file

@ -52,11 +52,7 @@ export const getPrebuiltRulesAndTimelinesStatusRoute = (
const ruleAssetsClient = ruleAssetSavedObjectsClientFactory(savedObjectsClient);
try {
const latestPrebuiltRules = await getLatestPrebuiltRules(
ruleAssetsClient,
config.prebuiltRulesFromFileSystem,
config.prebuiltRulesFromSavedObjects
);
const latestPrebuiltRules = await getLatestPrebuiltRules(ruleAssetsClient);
const customRules = await findRules({
rulesClient,

12
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/install_prebuilt_rules_and_timelines/route.ts
View file

@ -92,11 +92,7 @@ export const createPrepackagedRules = async (
const exceptionsListClient = context.getExceptionListClient() ?? exceptionsClient;
const ruleAssetsClient = ruleAssetSavedObjectsClientFactory(savedObjectsClient);
const {
maxTimelineImportExportSize,
prebuiltRulesFromFileSystem,
prebuiltRulesFromSavedObjects,
} = config;
const { maxTimelineImportExportSize } = config;
if (!siemClient || !rulesClient) {
throw new PrepackagedRulesError('', 404);
@ -107,11 +103,7 @@ export const createPrepackagedRules = async (
await exceptionsListClient.createEndpointList();
}
const latestPrepackagedRulesMap = await getLatestPrebuiltRules(
ruleAssetsClient,
prebuiltRulesFromFileSystem,
prebuiltRulesFromSavedObjects
);
const latestPrepackagedRulesMap = await getLatestPrebuiltRules(ruleAssetsClient);
const installedPrePackagedRules = rulesToMap(await getExistingPrepackagedRules({ rulesClient }));
const rulesToInstall = getRulesToInstall(latestPrepackagedRulesMap, installedPrePackagedRules);
const rulesToUpdate = getRulesToUpdate(latestPrepackagedRulesMap, installedPrePackagedRules);

42
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/apm_403_response_to_a_post.json
View file

@ -1,42 +0,0 @@
{
"author": [
"Elastic"
],
"description": "A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed.",
"false_positives": [
"Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
],
"index": [
"apm-*-transaction*",
"traces-apm*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Web Application Suspicious Activity: POST Request Declined",
"query": "http.response.status_code:403 and http.request.method:post\n",
"references": [
"https://en.wikipedia.org/wiki/HTTP_403"
],
"required_fields": [
{
"ecs": true,
"name": "http.request.method",
"type": "keyword"
},
{
"ecs": true,
"name": "http.response.status_code",
"type": "long"
}
],
"risk_score": 47,
"rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e",
"severity": "medium",
"tags": [
"Elastic",
"APM"
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
}

37
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/apm_405_response_method_not_allowed.json
View file

@ -1,37 +0,0 @@
{
"author": [
"Elastic"
],
"description": "A request to a web application returned a 405 response, which indicates the web application declined to process the request because the HTTP method is not allowed for the resource.",
"false_positives": [
"Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
],
"index": [
"apm-*-transaction*",
"traces-apm*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Web Application Suspicious Activity: Unauthorized Method",
"query": "http.response.status_code:405\n",
"references": [
"https://en.wikipedia.org/wiki/HTTP_405"
],
"required_fields": [
{
"ecs": true,
"name": "http.response.status_code",
"type": "long"
}
],
"risk_score": 47,
"rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef",
"severity": "medium",
"tags": [
"Elastic",
"APM"
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
}

37
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/apm_sqlmap_user_agent.json
View file

@ -1,37 +0,0 @@
{
"author": [
"Elastic"
],
"description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.",
"false_positives": [
"This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."
],
"index": [
"apm-*-transaction*",
"traces-apm*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Web Application Suspicious Activity: sqlmap User Agent",
"query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"\n",
"references": [
"http://sqlmap.org/"
],
"required_fields": [
{
"ecs": true,
"name": "user_agent.original",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820",
"severity": "medium",
"tags": [
"Elastic",
"APM"
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
}

85
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/collection_cloudtrail_logging_created.json
View file

@ -1,85 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.",
"false_positives": [
"Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"from": "now-60m",
"index": [
"filebeat-*",
"logs-aws*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS CloudTrail Log Created",
"note": "",
"query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n",
"references": [
"https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"
],
"related_integrations": [
{
"integration": "cloudtrail",
"package": "aws",
"version": "^1.5.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
},
{
"ecs": true,
"name": "event.provider",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed",
"setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "low",
"tags": [
"Elastic",
"Cloud",
"AWS",
"Continuous Monitoring",
"SecOps",
"Log Auditing"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1530",
"name": "Data from Cloud Storage Object",
"reference": "https://attack.mitre.org/techniques/T1530/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
}

87
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/collection_email_powershell_exchange_mailbox.json
View file

@ -1,87 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.",
"false_positives": [
"Legitimate exchange system administration activity."
],
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*",
"logs-windows.*",
"endgame-*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Exporting Exchange Mailbox via PowerShell",
"note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive\nto a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive\nand strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that\n assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on\na per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity\nand it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle\nis being followed.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "process where event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"New-MailboxExportRequest*\"\n",
"references": [
"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "6aace640-e631-4870-ba8e-5fdda09325db",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Collection",
"Investigation Guide",
"Elastic Endgame"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1005",
"name": "Data from Local System",
"reference": "https://attack.mitre.org/techniques/T1005/"
},
{
"id": "T1114",
"name": "Email Collection",
"reference": "https://attack.mitre.org/techniques/T1114/",
"subtechnique": [
{
"id": "T1114.002",
"name": "Remote Email Collection",
"reference": "https://attack.mitre.org/techniques/T1114/002/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 102
}

77
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json
View file

@ -1,77 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
"false_positives": [
"Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"index": [
"filebeat-*",
"logs-gcp*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "GCP Pub/Sub Subscription Creation",
"note": "",
"query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success\n",
"references": [
"https://cloud.google.com/pubsub/docs/overview"
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "^2.0.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7",
"setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "low",
"tags": [
"Elastic",
"Cloud",
"GCP",
"Continuous Monitoring",
"SecOps",
"Log Auditing"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1530",
"name": "Data from Cloud Storage Object",
"reference": "https://attack.mitre.org/techniques/T1530/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 102
}

77
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json
View file

@ -1,77 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.",
"false_positives": [
"Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"index": [
"filebeat-*",
"logs-gcp*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "GCP Pub/Sub Topic Creation",
"note": "",
"query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success\n",
"references": [
"https://cloud.google.com/pubsub/docs/admin"
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "^2.0.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5",
"setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "low",
"tags": [
"Elastic",
"Cloud",
"GCP",
"Continuous Monitoring",
"SecOps",
"Log Auditing"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1530",
"name": "Data from Cloud Storage Object",
"reference": "https://attack.mitre.org/techniques/T1530/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 102
}

90
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/collection_google_drive_ownership_transferred_via_google_workspace.json
View file

@ -1,90 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.",
"false_positives": [
"Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee."
],
"from": "now-130m",
"index": [
"filebeat-*",
"logs-google_workspace*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"name": "Google Drive Ownership Transferred via Google Workspace",
"note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
"query": "event.dataset:\"google_workspace.admin\" and event.action:\"CREATE_DATA_TRANSFER_REQUEST\"\n and event.category:\"iam\" and google_workspace.admin.application.name:Drive*\n",
"references": [
"https://support.google.com/a/answer/1247799?hl=en"
],
"related_integrations": [
{
"package": "google_workspace",
"version": "^1.2.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": false,
"name": "google_workspace.admin.application.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce",
"setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"Google Workspace",
"Continuous Monitoring",
"SecOps",
"Collection"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1074",
"name": "Data Staged",
"reference": "https://attack.mitre.org/techniques/T1074/",
"subtechnique": [
{
"id": "T1074.002",
"name": "Remote Data Staging",
"reference": "https://attack.mitre.org/techniques/T1074/002/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 2
}

90
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/collection_google_workspace_custom_gmail_route_created_or_modified.json
View file

@ -1,90 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.",
"false_positives": [
"Administrators may create custom email routes in Google Workspace based on organizational policies, administrative preference or for security purposes regarding spam."
],
"from": "now-130m",
"index": [
"filebeat-*",
"logs-google_workspace*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"name": "Google Workspace Custom Gmail Route Created or Modified",
"note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
"query": "event.dataset:\"google_workspace.admin\" and event.action:(\"CREATE_GMAIL_SETTING\" or \"CHANGE_GMAIL_SETTING\")\n and google_workspace.event.type:\"EMAIL_SETTINGS\" and google_workspace.admin.setting.name:(\"EMAIL_ROUTE\" or \"MESSAGE_SECURITY_RULE\")\n",
"references": [
"https://support.google.com/a/answer/2685650?hl=en"
],
"related_integrations": [
{
"package": "google_workspace",
"version": "^1.2.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": false,
"name": "google_workspace.admin.setting.name",
"type": "keyword"
},
{
"ecs": false,
"name": "google_workspace.event.type",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "9510add4-3392-11ed-bd01-f661ea17fbce",
"setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"Google Workspace",
"Continuous Monitoring",
"SecOps",
"Collection"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1114",
"name": "Email Collection",
"reference": "https://attack.mitre.org/techniques/T1114/",
"subtechnique": [
{
"id": "T1114.003",
"name": "Email Forwarding Rule",
"reference": "https://attack.mitre.org/techniques/T1114/003/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 2
}

114
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json
View file

@ -1,114 +0,0 @@
{
"author": [
"Elastic",
"Gary Blackwell",
"Austin Songer"
],
"description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.",
"false_positives": [
"Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior."
],
"from": "now-30m",
"index": [
"filebeat-*",
"logs-o365*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Microsoft 365 Inbox Forwarding Rule Created",
"note": "",
"query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:(\"New-InboxRule\" or \"Set-InboxRule\") and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n )\n and event.outcome:success\n",
"references": [
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
"https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide",
"https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf"
],
"related_integrations": [
{
"package": "o365",
"version": "^1.3.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
},
{
"ecs": true,
"name": "event.provider",
"type": "keyword"
},
{
"ecs": false,
"name": "o365.audit.Parameters.ForwardAsAttachmentTo",
"type": "unknown"
},
{
"ecs": false,
"name": "o365.audit.Parameters.ForwardTo",
"type": "unknown"
},
{
"ecs": false,
"name": "o365.audit.Parameters.RedirectTo",
"type": "unknown"
}
],
"risk_score": 47,
"rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78",
"setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"Microsoft 365",
"Continuous Monitoring",
"SecOps",
"Configuration Audit"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1114",
"name": "Email Collection",
"reference": "https://attack.mitre.org/techniques/T1114/",
"subtechnique": [
{
"id": "T1114.003",
"name": "Email Forwarding Rule",
"reference": "https://attack.mitre.org/techniques/T1114/003/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
}

85
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/collection_posh_audio_capture.json
View file

@ -1,85 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices\nconnected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of\nauthorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "event.category:process and\n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or (waveInGetNumDevs and mciSendStringA)\n )\n",
"references": [
"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": false,
"name": "powershell.file.script_block_text",
"type": "unknown"
}
],
"risk_score": 47,
"rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43",
"setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Collection",
"Investigation Guide"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1123",
"name": "Audio Capture",
"reference": "https://attack.mitre.org/techniques/T1123/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"reference": "https://attack.mitre.org/techniques/T1059/",
"subtechnique": [
{
"id": "T1059.001",
"name": "PowerShell",
"reference": "https://attack.mitre.org/techniques/T1059/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 102
}

93
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/collection_posh_keylogger.json
View file

@ -1,93 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "PowerShell Keylogging Script",
"note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other\nvaluable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the captured data locally.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making\nfalse positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "event.category:process and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\")\n )\n )\n",
"references": [
"https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1",
"https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": false,
"name": "powershell.file.script_block_text",
"type": "unknown"
}
],
"risk_score": 73,
"rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889",
"setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Collection",
"Investigation Guide"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1056",
"name": "Input Capture",
"reference": "https://attack.mitre.org/techniques/T1056/",
"subtechnique": [
{
"id": "T1056.001",
"name": "Keylogging",
"reference": "https://attack.mitre.org/techniques/T1056/001/"
}
]
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"reference": "https://attack.mitre.org/techniques/T1059/",
"subtechnique": [
{
"id": "T1059.001",
"name": "PowerShell",
"reference": "https://attack.mitre.org/techniques/T1059/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 102
}

85
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/collection_posh_screen_grabber.json
View file

@ -1,85 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs).",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "PowerShell Suspicious Script with Screenshot Capabilities",
"note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes\nit available for use in various environments and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course\nof an operation.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the captured data locally.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false\npositives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "event.category:process and\n powershell.file.script_block_text : (\n CopyFromScreen and\n (\"System.Drawing.Bitmap\" or \"Drawing.Bitmap\")\n )\n",
"references": [
"https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": false,
"name": "powershell.file.script_block_text",
"type": "unknown"
}
],
"risk_score": 47,
"rule_id": "959a7353-1129-4aa7-9084-30746b256a70",
"setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Collection",
"Investigation Guide"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1113",
"name": "Screen Capture",
"reference": "https://attack.mitre.org/techniques/T1113/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"reference": "https://attack.mitre.org/techniques/T1059/",
"subtechnique": [
{
"id": "T1059.001",
"name": "PowerShell",
"reference": "https://attack.mitre.org/techniques/T1059/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 102
}

93
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/collection_update_event_hub_auth_rule.json
View file

@ -1,93 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.",
"false_positives": [
"Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"from": "now-25m",
"index": [
"filebeat-*",
"logs-azure*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Azure Event Hub Authorization Rule Created or Updated",
"note": "",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)\n",
"references": [
"https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"
],
"related_integrations": [
{
"integration": "activitylogs",
"package": "azure",
"version": "^1.0.0"
}
],
"required_fields": [
{
"ecs": false,
"name": "azure.activitylogs.operation_name",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d",
"setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"Azure",
"Continuous Monitoring",
"SecOps",
"Log Auditing"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1530",
"name": "Data from Cloud Storage Object",
"reference": "https://attack.mitre.org/techniques/T1530/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0010",
"name": "Exfiltration",
"reference": "https://attack.mitre.org/tactics/TA0010/"
},
"technique": [
{
"id": "T1537",
"name": "Transfer Data to Cloud Account",
"reference": "https://attack.mitre.org/techniques/T1537/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
}

88
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/collection_winrar_encryption.json
View file

@ -1,88 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*",
"logs-windows.*",
"endgame-*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Encrypting Files with WinRar or 7z",
"note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the\ncollected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is\nbeing exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the\nfile names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and\n`process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "process where event.type == \"start\" and\n ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n process.pe.original_file_name == \"Command line RAR\") and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n or\n (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n /* uncomment if noisy for backup software related FPs */\n /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n",
"references": [
"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.code_signature.subject_name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.pe.original_file_name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "45d273fb-1dca-457d-9855-bcb302180c21",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Collection",
"Investigation Guide",
"Elastic Endgame"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1560",
"name": "Archive Collected Data",
"reference": "https://attack.mitre.org/techniques/T1560/",
"subtechnique": [
{
"id": "T1560.001",
"name": "Archive via Utility",
"reference": "https://attack.mitre.org/techniques/T1560/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 102
}

101
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_accepted_default_telnet_port_connection.json
View file

@ -1,101 +0,0 @@
{
"author": [
"Elastic"
],
"description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.",
"false_positives": [
"IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"filebeat-*",
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Accepted Default Telnet Port Connection",
"query": "event.category:(network or network_traffic) and destination.port:23\n and network.direction:(inbound or ingress or outbound or egress)\n and not event.action:(\n flow_dropped or denied or deny or\n flow_terminated or timeout or Reject or network_flow)\n",
"required_fields": [
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "network.direction",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Network",
"Threat Detection",
"Command and Control",
"Host",
"Lateral Movement",
"Initial Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": []
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0008",
"name": "Lateral Movement",
"reference": "https://attack.mitre.org/tactics/TA0008/"
},
"technique": [
{
"id": "T1021",
"name": "Remote Services",
"reference": "https://attack.mitre.org/techniques/T1021/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0001",
"name": "Initial Access",
"reference": "https://attack.mitre.org/tactics/TA0001/"
},
"technique": [
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"reference": "https://attack.mitre.org/techniques/T1190/"
}
]
}
],
"timeline_id": "300afc76-072d-4261-864d-4149714bf3f1",
"timeline_title": "Comprehensive Network Timeline",
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
}

73
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_certutil_network_connection.json
View file

@ -1,73 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Network Connection via Certutil",
"note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources\nin order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in\n[IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified\nanything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n",
"query": "sequence by process.entity_id\n [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n",
"references": [
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml",
"https://frsecure.com/malware-incident-response-playbook/"
],
"required_fields": [
{
"ecs": true,
"name": "destination.ip",
"type": "ip"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.entity_id",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Command and Control",
"Investigation Guide"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"reference": "https://attack.mitre.org/techniques/T1105/"
}
]
}
],
"type": "eql",
"version": 102
}

68
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_cobalt_strike_beacon.json
View file

@ -1,68 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.",
"false_positives": [
"This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"filebeat-*",
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "lucene",
"license": "Elastic License v2",
"name": "Cobalt Strike Command and Control Beacon",
"note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
"query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/\n",
"references": [
"https://blog.morphisec.com/fin7-attacks-restaurant-industry",
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
"https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack"
],
"risk_score": 73,
"rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c",
"severity": "high",
"tags": [
"Elastic",
"Network",
"Threat Detection",
"Command and Control",
"Host"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"reference": "https://attack.mitre.org/techniques/T1568/",
"subtechnique": [
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"reference": "https://attack.mitre.org/techniques/T1568/002/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
}

86
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json
View file

@ -1,86 +0,0 @@
{
"author": [
"Elastic"
],
"description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.",
"from": "now-9m",
"index": [
"auditbeat-*",
"filebeat-*",
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Default Cobalt Strike Team Server Certificate",
"note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.",
"query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or\n tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or\n tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)\n",
"references": [
"https://attack.mitre.org/software/S0154/",
"https://www.cobaltstrike.com/help-setup-collaboration",
"https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html",
"https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html",
"https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html",
"https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "tls.server.hash.md5",
"type": "keyword"
},
{
"ecs": true,
"name": "tls.server.hash.sha1",
"type": "keyword"
},
{
"ecs": true,
"name": "tls.server.hash.sha256",
"type": "keyword"
}
],
"risk_score": 99,
"rule_id": "e7075e8d-a966-458e-a183-85cd331af255",
"severity": "critical",
"tags": [
"Command and Control",
"Post-Execution",
"Threat Detection",
"Elastic",
"Network",
"Host"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/",
"subtechnique": [
{
"id": "T1071.001",
"name": "Web Protocols",
"reference": "https://attack.mitre.org/techniques/T1071/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
}

100
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_common_webservices.json
View file

@ -1,100 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Connection to Commonly Abused Web Services",
"note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised\nsystem. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the\nlikelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can\nbe abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy\nfalse positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n",
"query": "network where network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Discord\\\\app-*\\\\Discord.exe\"\n )\n",
"required_fields": [
{
"ecs": true,
"name": "dns.question.name",
"type": "keyword"
},
{
"ecs": true,
"name": "network.protocol",
"type": "keyword"
},
{
"ecs": true,
"name": "process.executable",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "user.id",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Command and Control",
"Investigation Guide"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1102",
"name": "Web Service",
"reference": "https://attack.mitre.org/techniques/T1102/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0010",
"name": "Exfiltration",
"reference": "https://attack.mitre.org/tactics/TA0010/"
},
"technique": [
{
"id": "T1567",
"name": "Exfiltration Over Web Service",
"reference": "https://attack.mitre.org/techniques/T1567/",
"subtechnique": [
{
"id": "T1567.001",
"name": "Exfiltration to Code Repository",
"reference": "https://attack.mitre.org/techniques/T1567/001/"
},
{
"id": "T1567.002",
"name": "Exfiltration to Cloud Storage",
"reference": "https://attack.mitre.org/techniques/T1567/002/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 102
}

101
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_connection_attempt_by_non_ssh_root_session.json
View file

@ -1,101 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies an outbound network connection attempt followed by a session id change as the root user by the same process entity. This particular instantiation of a network connection is abnormal and should be investigated as it may indicate a potential reverse shell activity via a privileged process.",
"false_positives": [
"False-Positives (FP) can appear if another remote terminal service is being used to connect to it's listener but typically SSH is used in these scenarios."
],
"from": "now-9m",
"index": [
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Suspicious Network Connection Attempt by Root",
"note": "## Triage and analysis\n### Investigating Connection Attempt by Non-SSH Root Session\nDetection alerts from this rule indicate a strange or abnormal outbound connection attempt by a privileged process. Here are some possible avenues of investigation:\n- Examine unusual and active sessions using commands such as 'last -a', 'netstat -a', and 'w -a'.\n- Analyze processes and command line arguments to detect anomalous process execution that may be acting as a listener.\n- Analyze anomalies in the use of files that do not normally initiate connections.\n- Examine processes utilizing the network that do not normally have network communication.\n",
"query": "sequence by process.entity_id with maxspan=1m\n[network where event.type == \"start\" and event.action == \"connection_attempted\" and user.id == \"0\" and\n not process.executable : (\"/bin/ssh\", \"/sbin/ssh\", \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\")]\n[process where event.action == \"session_id_change\" and user.id == \"0\" and\n not process.executable : (\"/bin/ssh\", \"/sbin/ssh\", \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\")]\n",
"references": [
"https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/",
"https://twitter.com/GossiTheDog/status/1522964028284411907",
"https://exatrack.com/public/Tricephalic_Hellkeeper.pdf"
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.entity_id",
"type": "keyword"
},
{
"ecs": true,
"name": "process.executable",
"type": "keyword"
},
{
"ecs": true,
"name": "user.id",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "eb6a3790-d52d-11ec-8ce9-f661ea17fbce",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Linux",
"Threat Detection",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1095/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"reference": "https://attack.mitre.org/techniques/T1548/",
"subtechnique": [
{
"id": "T1548.003",
"name": "Sudo and Sudo Caching",
"reference": "https://attack.mitre.org/techniques/T1548/003/"
}
]
}
]
}
],
"type": "eql",
"version": 100
}

87
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json
View file

@ -1,87 +0,0 @@
{
"author": [
"Elastic"
],
"description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*",
"endgame-*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Potential DNS Tunneling via NsLookup",
"note": "## Triage and analysis\n\n### Investigating Potential DNS Tunneling via NsLookup\n\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as\ntheir command and control and/or exfiltration channel.\n\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration,\nsince queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\n\nMore information on how tunneling works and how it can be abused can be found on\n[Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the DNS query and identify the information sent.\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially\ncompromised hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor\ncommand and control related, this alert can be closed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Immediately block the identified indicators of compromise (IoCs).\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Update firewall rules to be more restrictive.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n",
"query": "event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)\n",
"references": [
"https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Command and Control",
"Investigation Guide",
"Elastic Endgame"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/",
"subtechnique": [
{
"id": "T1071.004",
"name": "DNS",
"reference": "https://attack.mitre.org/techniques/T1071/004/"
}
]
}
]
}
],
"threshold": {
"field": [
"host.id"
],
"value": 15
},
"type": "threshold",
"version": 102
}

88
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json
View file

@ -1,88 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.",
"false_positives": [
"Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"filebeat-*",
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
"query": "event.category:(network or network_traffic) and network.protocol:http and\n (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n",
"references": [
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
"https://www.justice.gov/opa/press-release/file/1084361/download",
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
],
"required_fields": [
{
"ecs": true,
"name": "destination.ip",
"type": "ip"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "network.protocol",
"type": "keyword"
},
{
"ecs": true,
"name": "source.ip",
"type": "ip"
},
{
"ecs": true,
"name": "url.extension",
"type": "keyword"
},
{
"ecs": true,
"name": "url.path",
"type": "wildcard"
}
],
"risk_score": 47,
"rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92",
"severity": "medium",
"tags": [
"Elastic",
"Network",
"Threat Detection",
"Command and Control",
"Host"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"reference": "https://attack.mitre.org/techniques/T1105/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
}

70
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_encrypted_channel_freesslcert.json
View file

@ -1,70 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Connection to Commonly Abused Free SSL Certificate Providers",
"note": "",
"query": "network where network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n\n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n",
"required_fields": [
{
"ecs": true,
"name": "dns.question.name",
"type": "keyword"
},
{
"ecs": true,
"name": "network.protocol",
"type": "keyword"
},
{
"ecs": true,
"name": "process.executable",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1573",
"name": "Encrypted Channel",
"reference": "https://attack.mitre.org/techniques/T1573/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 100
}

66
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_fin7_c2_behavior.json
View file

@ -1,66 +0,0 @@
{
"author": [
"Elastic"
],
"description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.",
"false_positives": [
"This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"filebeat-*",
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "lucene",
"license": "Elastic License v2",
"name": "Possible FIN7 DGA Command and Control Behavior",
"note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.",
"query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp\nAND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\n",
"references": [
"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
],
"risk_score": 73,
"rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3",
"severity": "high",
"tags": [
"Elastic",
"Network",
"Threat Detection",
"Command and Control",
"Host"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"reference": "https://attack.mitre.org/techniques/T1568/",
"subtechnique": [
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"reference": "https://attack.mitre.org/techniques/T1568/002/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
}

67
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_halfbaked_beacon.json
View file

@ -1,67 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.",
"false_positives": [
"This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"filebeat-*",
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "lucene",
"license": "Elastic License v2",
"name": "Halfbaked Command and Control Beacon",
"note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
"query": "event.category:(network OR network_traffic) AND network.protocol:http AND\n network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND\n destination.port:(53 OR 80 OR 8080 OR 443)\n",
"references": [
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
"https://attack.mitre.org/software/S0151/"
],
"risk_score": 73,
"rule_id": "2e580225-2a58-48ef-938b-572933be06fe",
"severity": "high",
"tags": [
"Elastic",
"Network",
"Threat Detection",
"Command and Control",
"Host"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"reference": "https://attack.mitre.org/techniques/T1568/",
"subtechnique": [
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"reference": "https://attack.mitre.org/techniques/T1568/002/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
}

117
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_iexplore_via_com.json
View file

@ -1,117 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.",
"false_positives": [
"Processes such as MS Office using IEproxy to render HTML content."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential Command and Control via Internet Explorer",
"query": "sequence by host.id, user.name with maxspan = 5s\n [library where dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\",\n \"*.sharepoint.com\",\n \"*.office365.com\",\n \"*.office.com\"\n )\n ] /* with runs=5 */\n",
"required_fields": [
{
"ecs": true,
"name": "dll.name",
"type": "keyword"
},
{
"ecs": true,
"name": "dns.question.name",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "host.id",
"type": "keyword"
},
{
"ecs": true,
"name": "network.protocol",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.name",
"type": "keyword"
},
{
"ecs": true,
"name": "user.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1559",
"name": "Inter-Process Communication",
"reference": "https://attack.mitre.org/techniques/T1559/",
"subtechnique": [
{
"id": "T1559.001",
"name": "Component Object Model",
"reference": "https://attack.mitre.org/techniques/T1559/001/"
}
]
}
]
}
],
"type": "eql",
"version": 100
}

68
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_linux_iodine_activity.json
View file

@ -1,68 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.",
"false_positives": [
"Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Potential DNS Tunneling via Iodine",
"query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)\n",
"references": [
"https://code.kryo.se/iodine/"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Linux",
"Threat Detection",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1572",
"name": "Protocol Tunneling",
"reference": "https://attack.mitre.org/techniques/T1572/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
}

47
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_ml_packetbeat_dns_tunneling.json
View file

@ -1,47 +0,0 @@
{
"anomaly_threshold": 50,
"author": [
"Elastic"
],
"description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.",
"false_positives": [
"DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."
],
"from": "now-45m",
"interval": "15m",
"license": "Elastic License v2",
"machine_learning_job_id": "packetbeat_dns_tunneling",
"name": "DNS Tunneling",
"references": [
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
],
"risk_score": 21,
"rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9",
"severity": "low",
"tags": [
"Elastic",
"Network",
"Threat Detection",
"ML",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1572",
"name": "Protocol Tunneling",
"reference": "https://attack.mitre.org/techniques/T1572/"
}
]
}
],
"type": "machine_learning",
"version": 100
}

54
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_ml_packetbeat_rare_dns_question.json
View file

@ -1,54 +0,0 @@
{
"anomaly_threshold": 50,
"author": [
"Elastic"
],
"description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.",
"false_positives": [
"A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert."
],
"from": "now-45m",
"interval": "15m",
"license": "Elastic License v2",
"machine_learning_job_id": "packetbeat_rare_dns_question",
"name": "Unusual DNS Activity",
"references": [
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
],
"risk_score": 21,
"rule_id": "746edc4c-c54c-49c6-97a1-651223819448",
"severity": "low",
"tags": [
"Elastic",
"Network",
"Threat Detection",
"ML",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/",
"subtechnique": [
{
"id": "T1071.004",
"name": "DNS",
"reference": "https://attack.mitre.org/techniques/T1071/004/"
}
]
}
]
}
],
"type": "machine_learning",
"version": 100
}

54
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_ml_packetbeat_rare_urls.json
View file

@ -1,54 +0,0 @@
{
"anomaly_threshold": 50,
"author": [
"Elastic"
],
"description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.",
"false_positives": [
"Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
],
"from": "now-45m",
"interval": "15m",
"license": "Elastic License v2",
"machine_learning_job_id": "packetbeat_rare_urls",
"name": "Unusual Web Request",
"references": [
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
],
"risk_score": 21,
"rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9",
"severity": "low",
"tags": [
"Elastic",
"Network",
"Threat Detection",
"ML",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/",
"subtechnique": [
{
"id": "T1071.001",
"name": "Web Protocols",
"reference": "https://attack.mitre.org/techniques/T1071/001/"
}
]
}
]
}
],
"type": "machine_learning",
"version": 100
}

54
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_ml_packetbeat_rare_user_agent.json
View file

@ -1,54 +0,0 @@
{
"anomaly_threshold": 50,
"author": [
"Elastic"
],
"description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.",
"false_positives": [
"Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert."
],
"from": "now-45m",
"interval": "15m",
"license": "Elastic License v2",
"machine_learning_job_id": "packetbeat_rare_user_agent",
"name": "Unusual Web User Agent",
"references": [
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
],
"risk_score": 21,
"rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0",
"severity": "low",
"tags": [
"Elastic",
"Network",
"Threat Detection",
"ML",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/",
"subtechnique": [
{
"id": "T1071.001",
"name": "Web Protocols",
"reference": "https://attack.mitre.org/techniques/T1071/001/"
}
]
}
]
}
],
"type": "machine_learning",
"version": 100
}

62
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_nat_traversal_port_activity.json
View file

@ -1,62 +0,0 @@
{
"author": [
"Elastic"
],
"description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.",
"false_positives": [
"Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"filebeat-*",
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "IPSEC NAT Traversal Port Activity",
"query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500\n",
"required_fields": [
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "network.transport",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Network",
"Threat Detection",
"Command and Control",
"Host"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": []
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
}

82
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_non_standard_ssh_port.json
View file

@ -1,82 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.",
"false_positives": [
"SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination whitelisted ports for such legitimate ssh activities."
],
"from": "now-9m",
"index": [
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential Non-Standard Port SSH connection",
"query": "sequence by process.entity_id with maxspan=1m\n[process where event.action == \"exec\" and process.name:\"ssh\"]\n[network where process.name:\"ssh\"\n and event.action in (\"connection_attempted\", \"connection_accepted\")\n and destination.port != 22\n and destination.ip != \"127.0.0.1\"\n and network.transport: \"tcp\"\n]\n",
"references": [
"https://attack.mitre.org/techniques/T1571/"
],
"required_fields": [
{
"ecs": true,
"name": "destination.ip",
"type": "ip"
},
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "network.transport",
"type": "keyword"
},
{
"ecs": true,
"name": "process.entity_id",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Linux",
"Threat Detection",
"Command and Control",
"macOS"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1571",
"name": "Non-Standard Port",
"reference": "https://attack.mitre.org/techniques/T1571/"
}
]
}
],
"type": "eql",
"version": 1
}

86
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_port_26_activity.json
View file

@ -1,86 +0,0 @@
{
"author": [
"Elastic"
],
"description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.",
"false_positives": [
"Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"filebeat-*",
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "SMTP on Port 26/TCP",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))\n",
"references": [
"https://unit42.paloaltonetworks.com/unit42-badpatch/",
"https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"
],
"required_fields": [
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "network.transport",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Network",
"Threat Detection",
"Command and Control",
"Host"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": []
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0010",
"name": "Exfiltration",
"reference": "https://attack.mitre.org/tactics/TA0010/"
},
"technique": [
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"reference": "https://attack.mitre.org/techniques/T1048/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
}

61
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_port_forwarding_added_registry.json
View file

@ -1,61 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*",
"endgame-*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Port Forwarding Rule Addition",
"note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to\nany other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box\nto access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred,\nand inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity\nand there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "registry where registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n",
"references": [
"https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"
],
"required_fields": [
{
"ecs": true,
"name": "registry.path",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Command and Control",
"Investigation Guide",
"Elastic Endgame"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1572",
"name": "Protocol Tunneling",
"reference": "https://attack.mitre.org/techniques/T1572/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 102
}

112
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json
View file

@ -1,112 +0,0 @@
{
"author": [
"Elastic"
],
"description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
"false_positives": [
"Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"filebeat-*",
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "RDP (Remote Desktop Protocol) from the Internet",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n",
"references": [
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
],
"required_fields": [
{
"ecs": true,
"name": "destination.ip",
"type": "ip"
},
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "network.transport",
"type": "keyword"
},
{
"ecs": true,
"name": "source.ip",
"type": "ip"
}
],
"risk_score": 47,
"rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Network",
"Threat Detection",
"Command and Control",
"Host"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": []
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0008",
"name": "Lateral Movement",
"reference": "https://attack.mitre.org/tactics/TA0008/"
},
"technique": [
{
"id": "T1021",
"name": "Remote Services",
"reference": "https://attack.mitre.org/techniques/T1021/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0001",
"name": "Initial Access",
"reference": "https://attack.mitre.org/tactics/TA0001/"
},
"technique": [
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"reference": "https://attack.mitre.org/techniques/T1190/"
}
]
}
],
"timeline_id": "300afc76-072d-4261-864d-4149714bf3f1",
"timeline_title": "Comprehensive Network Timeline",
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
}

66
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_rdp_tunnel_plink.json
View file

@ -1,66 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*",
"logs-windows.*",
"endgame-*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential Remote Desktop Tunneling Detected",
"note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases,\nranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would\nfilter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP\nconnections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated\nwith tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key\nmodification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "process where event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n",
"references": [
"https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Command and Control",
"Investigation Guide",
"Elastic Endgame"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1572",
"name": "Protocol Tunneling",
"reference": "https://attack.mitre.org/techniques/T1572/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 102
}

76
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json
View file

File diff suppressed because one or more lines are too long

77
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json
View file

File diff suppressed because one or more lines are too long

116
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_remote_file_copy_powershell.json
View file

File diff suppressed because one or more lines are too long

94
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_remote_file_copy_scripts.json
View file

@ -1,94 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Remote File Download via Script Interpreter",
"note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs,\nsuch as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but\ncan also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives\n(B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n",
"query": "sequence by host.id, process.entity_id\n [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n",
"required_fields": [
{
"ecs": true,
"name": "destination.ip",
"type": "ip"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "file.extension",
"type": "keyword"
},
{
"ecs": true,
"name": "host.id",
"type": "keyword"
},
{
"ecs": true,
"name": "network.direction",
"type": "keyword"
},
{
"ecs": true,
"name": "network.protocol",
"type": "keyword"
},
{
"ecs": true,
"name": "network.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.entity_id",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "1d276579-3380-4095-ad38-e596a01bc64f",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Command and Control",
"Investigation Guide"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"reference": "https://attack.mitre.org/techniques/T1105/"
}
]
}
],
"type": "eql",
"version": 102
}

100
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json
View file

File diff suppressed because one or more lines are too long

76
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json
View file

File diff suppressed because one or more lines are too long

63
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_tunneling_via_earthworm.json
View file

@ -1,63 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential Protocol Tunneling via EarthWorm",
"note": "",
"query": "process where event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n",
"references": [
"http://rootkiter.com/EarthWorm/",
"https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Linux",
"Threat Detection",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1572",
"name": "Protocol Tunneling",
"reference": "https://attack.mitre.org/techniques/T1572/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 100
}

96
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_vnc_virtual_network_computing_from_the_internet.json
View file

@ -1,96 +0,0 @@
{
"author": [
"Elastic"
],
"description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
"false_positives": [
"VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"filebeat-*",
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "VNC (Virtual Network Computing) from the Internet",
"query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n",
"references": [
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
],
"required_fields": [
{
"ecs": true,
"name": "destination.ip",
"type": "ip"
},
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "network.transport",
"type": "keyword"
},
{
"ecs": true,
"name": "source.ip",
"type": "ip"
}
],
"risk_score": 73,
"rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Network",
"Threat Detection",
"Command and Control",
"Host"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1219",
"name": "Remote Access Software",
"reference": "https://attack.mitre.org/techniques/T1219/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0001",
"name": "Initial Access",
"reference": "https://attack.mitre.org/tactics/TA0001/"
},
"technique": [
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"reference": "https://attack.mitre.org/techniques/T1190/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
}

81
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/command_and_control_vnc_virtual_network_computing_to_the_internet.json
View file

@ -1,81 +0,0 @@
{
"author": [
"Elastic"
],
"description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
"false_positives": [
"VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"filebeat-*",
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "VNC (Virtual Network Computing) to the Internet",
"query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n",
"references": [
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
],
"required_fields": [
{
"ecs": true,
"name": "destination.ip",
"type": "ip"
},
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "network.transport",
"type": "keyword"
},
{
"ecs": true,
"name": "source.ip",
"type": "ip"
}
],
"risk_score": 47,
"rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Network",
"Threat Detection",
"Command and Control",
"Host"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1219",
"name": "Remote Access Software",
"reference": "https://attack.mitre.org/techniques/T1219/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
}

74
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_access_to_browser_credentials_procargs.json
View file

@ -1,74 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Access of Stored Browser Credentials",
"note": "",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\",\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\",\n \"/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies\",\n \"/Users/*/Library/Cookies*\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\",\n \"Login Data\",\n \"Cookies.binarycookies\",\n \"key4.db\",\n \"key3.db\",\n \"logins.json\",\n \"cookies.sqlite\"\n )\n",
"references": [
"https://securelist.com/calisto-trojan-for-macos/86543/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
"Host",
"macOS",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"reference": "https://attack.mitre.org/techniques/T1539/"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"reference": "https://attack.mitre.org/techniques/T1555/",
"subtechnique": [
{
"id": "T1555.003",
"name": "Credentials from Web Browsers",
"reference": "https://attack.mitre.org/techniques/T1555/003/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 100
}

70
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_attempted_bypass_of_okta_mfa.json
View file

@ -1,70 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.",
"index": [
"filebeat-*",
"logs-okta*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Attempted Bypass of Okta MFA",
"note": "",
"query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n",
"references": [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
],
"related_integrations": [
{
"package": "okta",
"version": "^1.3.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0",
"setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "high",
"tags": [
"Elastic",
"Identity",
"Okta",
"Continuous Monitoring",
"SecOps",
"Identity and Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1111",
"name": "Multi-Factor Authentication Interception",
"reference": "https://attack.mitre.org/techniques/T1111/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 102
}

78
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_attempts_to_brute_force_okta_user_account.json
View file

@ -1,78 +0,0 @@
{
"author": [
"Elastic",
"@BenB196",
"Austin Songer"
],
"description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.",
"from": "now-180m",
"index": [
"filebeat-*",
"logs-okta*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Attempts to Brute Force an Okta User Account",
"note": "",
"query": "event.dataset:okta.system and event.action:user.account.lock\n",
"references": [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
],
"related_integrations": [
{
"package": "okta",
"version": "^1.3.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49",
"setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Elastic",
"Identity",
"Okta",
"Continuous Monitoring",
"SecOps",
"Identity and Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/"
}
]
}
],
"threshold": {
"field": [
"okta.actor.alternate_id"
],
"value": 3
},
"type": "threshold",
"version": 102
}

90
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_aws_iam_assume_role_brute_force.json
View file

@ -1,90 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.",
"from": "now-20m",
"index": [
"filebeat-*",
"logs-aws*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS IAM Brute Force of Assume Role Policy",
"note": "## Triage and analysis\n\n### Investigating AWS IAM Brute Force of Assume Role Policy\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar\nto an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot\ndo in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone\nwho needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated\nwith it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nAttackers may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or\nhijack the discovered role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Verify if the `RoleName` parameter contains a unique value in all requests or if the activity is potentially a brute\nforce attack.\n- Verify if the user account successfully updated a trust policy in the last 24 hours.\n- Examine whether this role existed in the environment by looking for past occurrences in your logs.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal\ntime of day?\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Verify the roles targeted in the failed attempts, and whether the subject role previously existed in the environment.\nIf only one role was targeted in the requests and that role previously existed, it may be a false positive, since\nautomations can continue targeting roles that existed in the environment in the past and cause false positives (FPs).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other\nIAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "event.dataset:aws.cloudtrail and\n event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and\n aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure\n",
"references": [
"https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities",
"https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"
],
"related_integrations": [
{
"integration": "cloudtrail",
"package": "aws",
"version": "^1.5.0"
}
],
"required_fields": [
{
"ecs": false,
"name": "aws.cloudtrail.error_code",
"type": "keyword"
},
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
},
{
"ecs": true,
"name": "event.provider",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636",
"setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"AWS",
"Continuous Monitoring",
"SecOps",
"Identity and Access",
"Investigation Guide"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/"
}
]
}
],
"threshold": {
"field": [],
"value": 25
},
"type": "threshold",
"version": 103
}

78
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_azure_full_network_packet_capture_detected.json
View file

@ -1,78 +0,0 @@
{
"author": [
"Austin Songer"
],
"description": "Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.",
"false_positives": [
"Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"from": "now-25m",
"index": [
"filebeat-*",
"logs-azure*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Azure Full Network Packet Capture Detected",
"note": "",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n (\n \"MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\"\n ) and\nevent.outcome:(Success or success)\n",
"references": [
"https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"
],
"related_integrations": [
{
"integration": "activitylogs",
"package": "azure",
"version": "^1.0.0"
}
],
"required_fields": [
{
"ecs": false,
"name": "azure.activitylogs.operation_name",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f",
"setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"Azure",
"Continuous Monitoring",
"SecOps",
"Monitoring"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1040",
"name": "Network Sniffing",
"reference": "https://attack.mitre.org/techniques/T1040/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
}

93
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_bruteforce_admin_account.json
View file

@ -1,93 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-system.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Privileged Account Brute Force",
"note": "## Triage and analysis\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n- Investigate the source IP address of the failed Network Logon attempts.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Trust relationship between the primary domain and the trusted domain issue.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is\n being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "sequence by host.id, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n",
"references": [
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "host.id",
"type": "keyword"
},
{
"ecs": true,
"name": "source.ip",
"type": "ip"
},
{
"ecs": true,
"name": "user.name",
"type": "keyword"
},
{
"ecs": false,
"name": "winlog.event_data.Status",
"type": "keyword"
},
{
"ecs": false,
"name": "winlog.logon.type",
"type": "unknown"
}
],
"risk_score": 47,
"rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/",
"subtechnique": [
{
"id": "T1110.001",
"name": "Password Guessing",
"reference": "https://attack.mitre.org/techniques/T1110/001/"
},
{
"id": "T1110.003",
"name": "Password Spraying",
"reference": "https://attack.mitre.org/techniques/T1110/003/"
}
]
}
]
}
],
"type": "eql",
"version": 1
}

98
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_bruteforce_multiple_logon_failure_followed_by_success.json
View file

@ -1,98 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-system.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Multiple Logon Failure Followed by Logon Success",
"note": "## Triage and analysis\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n- Investigate the source IP address of the failed Network Logon attempts.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Trust relationship between the primary domain and the trusted domain issue.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is\n being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "sequence by host.id, source.ip with maxspan=5s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n",
"references": [
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "host.id",
"type": "keyword"
},
{
"ecs": true,
"name": "source.ip",
"type": "ip"
},
{
"ecs": true,
"name": "user.domain",
"type": "keyword"
},
{
"ecs": true,
"name": "user.name",
"type": "keyword"
},
{
"ecs": false,
"name": "winlog.event_data.Status",
"type": "keyword"
},
{
"ecs": false,
"name": "winlog.logon.type",
"type": "unknown"
}
],
"risk_score": 47,
"rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/",
"subtechnique": [
{
"id": "T1110.001",
"name": "Password Guessing",
"reference": "https://attack.mitre.org/techniques/T1110/001/"
},
{
"id": "T1110.003",
"name": "Password Spraying",
"reference": "https://attack.mitre.org/techniques/T1110/003/"
}
]
}
]
}
],
"type": "eql",
"version": 1
}

98
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_bruteforce_multiple_logon_failure_same_srcip.json
View file

@ -1,98 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-system.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Multiple Logon Failure from the same Source Address",
"note": "## Triage and analysis\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n- Investigate the source IP address of the failed Network Logon attempts.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Trust relationship between the primary domain and the trusted domain issue.\n- Infrastructure or availability issue.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is\n being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "sequence by host.id, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* \n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n",
"references": [
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "host.id",
"type": "keyword"
},
{
"ecs": true,
"name": "source.ip",
"type": "ip"
},
{
"ecs": true,
"name": "user.domain",
"type": "keyword"
},
{
"ecs": true,
"name": "user.name",
"type": "keyword"
},
{
"ecs": false,
"name": "winlog.event_data.Status",
"type": "keyword"
},
{
"ecs": false,
"name": "winlog.logon.type",
"type": "unknown"
}
],
"risk_score": 47,
"rule_id": "48b6edfc-079d-4907-b43c-baffa243270d",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/",
"subtechnique": [
{
"id": "T1110.001",
"name": "Password Guessing",
"reference": "https://attack.mitre.org/techniques/T1110/001/"
},
{
"id": "T1110.003",
"name": "Password Spraying",
"reference": "https://attack.mitre.org/techniques/T1110/003/"
}
]
}
]
}
],
"type": "eql",
"version": 1
}

84
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_bruteforce_passowrd_guessing.json
View file

@ -1,84 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-system.auth-*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential SSH Password Guessing",
"note": "## Triage and analysis\n\n### Investigating Potential SSH Password Guessing Attack\n\nThe rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the\nsame target host indicating a successful attempt of brute force password guessing.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial\naccess to the system(s).\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified.\n- Reset passwords for these accounts and other potentially compromised credentials.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n",
"query": "sequence by host.id, source.ip, user.name with maxspan=3s\n [authentication where event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=2\n\n [authentication where event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"success\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ]\n",
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
},
{
"ecs": true,
"name": "host.id",
"type": "keyword"
},
{
"ecs": true,
"name": "source.ip",
"type": "ip"
},
{
"ecs": true,
"name": "user.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "8cb84371-d053-4f4f-bce0-c74990e28f28",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Linux",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/",
"subtechnique": [
{
"id": "T1110.001",
"name": "Password Guessing",
"reference": "https://attack.mitre.org/techniques/T1110/001/"
},
{
"id": "T1110.003",
"name": "Password Spraying",
"reference": "https://attack.mitre.org/techniques/T1110/003/"
}
]
}
]
}
],
"type": "eql",
"version": 1
}

98
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_cmdline_dump_tool.json
View file

@ -1,98 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*",
"endgame-*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential Credential Access via Windows Utilities",
"note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible\nfor enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles\npassword changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and\ngroup membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active\nDirectory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious\nmust be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is\n being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "process where event.type == \"start\" and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n",
"references": [
"https://lolbas-project.github.io/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.command_line",
"type": "wildcard"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.executable",
"type": "keyword"
},
{
"ecs": true,
"name": "process.pe.original_file_name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "00140285-b827-4aee-aa09-8113f58a08f3",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access",
"Investigation Guide",
"Elastic Endgame"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.001",
"name": "LSASS Memory",
"reference": "https://attack.mitre.org/techniques/T1003/001/"
},
{
"id": "T1003.003",
"name": "NTDS",
"reference": "https://attack.mitre.org/techniques/T1003/003/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 102
}

100
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_collection_sensitive_files.json
View file

@ -1,100 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Sensitive Files Compression",
"query": "event.category:process and event.type:start and\n process.name:(zip or tar or gzip or hdiutil or 7z) and\n process.args:\n (\n /root/.ssh/id_rsa or\n /root/.ssh/id_rsa.pub or\n /root/.ssh/id_ed25519 or\n /root/.ssh/id_ed25519.pub or\n /root/.ssh/authorized_keys or\n /root/.ssh/authorized_keys2 or\n /root/.ssh/known_hosts or\n /root/.bash_history or\n /etc/hosts or\n /home/*/.ssh/id_rsa or\n /home/*/.ssh/id_rsa.pub or\n /home/*/.ssh/id_ed25519 or\n /home/*/.ssh/id_ed25519.pub or\n /home/*/.ssh/authorized_keys or\n /home/*/.ssh/authorized_keys2 or\n /home/*/.ssh/known_hosts or\n /home/*/.bash_history or\n /root/.aws/credentials or\n /root/.aws/config or\n /home/*/.aws/credentials or\n /home/*/.aws/config or\n /root/.docker/config.json or\n /home/*/.docker/config.json or\n /etc/group or\n /etc/passwd or\n /etc/shadow or\n /etc/gshadow\n )\n",
"references": [
"https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Linux",
"Threat Detection",
"Collection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1552",
"name": "Unsecured Credentials",
"reference": "https://attack.mitre.org/techniques/T1552/",
"subtechnique": [
{
"id": "T1552.001",
"name": "Credentials In Files",
"reference": "https://attack.mitre.org/techniques/T1552/001/"
}
]
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1560",
"name": "Archive Collected Data",
"reference": "https://attack.mitre.org/techniques/T1560/",
"subtechnique": [
{
"id": "T1560.001",
"name": "Archive via Utility",
"reference": "https://attack.mitre.org/techniques/T1560/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
}

78
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_cookies_chromium_browsers_debugging.json
View file

@ -1,78 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.",
"false_positives": [
"Developers performing browsers plugin or extension debugging."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"max_signals": 33,
"name": "Potential Cookies Theft via Browser Debugging",
"note": "",
"query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n",
"references": [
"https://github.com/defaultnamehere/cookie_crimes",
"https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
"https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md",
"https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Linux",
"Windows",
"macOS",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"reference": "https://attack.mitre.org/techniques/T1539/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 100
}

81
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_copy_ntds_sam_volshadowcp_cmdline.json
View file

@ -1,81 +0,0 @@
{
"author": [
"Elastic",
"Austin Songer"
],
"description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*",
"endgame-*"
],
"language": "eql",
"license": "Elastic License v2",
"max_signals": 33,
"name": "NTDS or SAM Database File Copied",
"note": "",
"query": "process where event.type == \"start\" and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n",
"references": [
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy",
"https://www.elastic.co/security-labs/detect-credential-access"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.pe.original_file_name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access",
"Elastic Endgame"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.002",
"name": "Security Account Manager",
"reference": "https://attack.mitre.org/techniques/T1003/002/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 102
}

92
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_credential_dumping_msbuild.json
View file

File diff suppressed because one or more lines are too long

80
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_credentials_keychains.json
View file

@ -1,80 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Access to Keychain Credentials Directories",
"note": "",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable :\n (\n \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\",\n \"/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise\",\n \"/opt/jc/bin/jumpcloud-agent\"\n ) and\n not process.executable : \"/opt/jc/bin/jumpcloud-agent\"\n",
"references": [
"https://objective-see.com/blog/blog_0x25.html",
"https://securelist.com/calisto-trojan-for-macos/86543/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.executable",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.executable",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
"Host",
"macOS",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1555",
"name": "Credentials from Password Stores",
"reference": "https://attack.mitre.org/techniques/T1555/",
"subtechnique": [
{
"id": "T1555.001",
"name": "Keychain",
"reference": "https://attack.mitre.org/techniques/T1555/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 100
}

91
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_dcsync_replication_rights.json
View file

@ -1,91 +0,0 @@
{
"author": [
"Elastic"
],
"description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-system.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential Credential Access via DCSync",
"note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are\nautomatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object\nclass, and object classes and their respective attributes are defined in the Active Directory schema. Objects are\ndefined by the values of their attributes, and changes to attribute values must be transferred from the domain\ncontroller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process\nfrom a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used\nlegitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges\nto succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of\nthe Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused\nto grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that\nuse the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent:\nSchema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set).\nIt also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller\n(DC) that received the replication request. This will tell you where the AD replication request came from, and if it\ncame from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- This activity should not happen legitimately, since replication should be done by Domain Controllers only. Any\npotential benign true positive (B-TP) should be mapped and monitored by the security team. Any account that performs\nthis activity can put the domain at risk for not having the same security standards as computer accounts (which have\nlong, complex, random passwords that change frequently), exposing it to credential cracking attacks (Kerberoasting,\nbrute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If specific credentials were compromised:\n - Reset the password for these accounts and other potentially compromised credentials, like email, business systems,\n and web services.\n- If the entire domain or the `krbtgt` user were compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited\n to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this\ninformation to scope ways that the attacker could use to regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "any where event.action == \"Directory Service Access\" and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\"*$\", \"MSOL_*\")\n",
"references": [
"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html",
"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing",
"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml",
"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md",
"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync",
"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.code",
"type": "keyword"
},
{
"ecs": false,
"name": "winlog.event_data.AccessMask",
"type": "unknown"
},
{
"ecs": false,
"name": "winlog.event_data.Properties",
"type": "unknown"
},
{
"ecs": false,
"name": "winlog.event_data.SubjectUserName",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1",
"setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access",
"Active Directory",
"Investigation Guide"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.006",
"name": "DCSync",
"reference": "https://attack.mitre.org/techniques/T1003/006/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 102
}

72
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_disable_kerberos_preauth.json
View file

@ -1,72 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-system.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Kerberos Pre-authentication Disabled for User",
"note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting\naccess to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request\n(AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to\nsuccessfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server\nResponse (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is\nsigned with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that\nif the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that\ncan be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team\nshould map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "event.code:4738 and message:\"'Don't Require Preauth' - Enabled\"\n",
"references": [
"https://harmj0y.medium.com/roasting-as-reps-e6179a65216b",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738",
"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"
],
"required_fields": [
{
"ecs": true,
"name": "event.code",
"type": "keyword"
},
{
"ecs": true,
"name": "message",
"type": "match_only_text"
}
],
"risk_score": 47,
"rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1",
"setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access",
"Investigation Guide"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1558",
"name": "Steal or Forge Kerberos Tickets",
"reference": "https://attack.mitre.org/techniques/T1558/",
"subtechnique": [
{
"id": "T1558.004",
"name": "AS-REP Roasting",
"reference": "https://attack.mitre.org/techniques/T1558/004/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 102
}

78
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json
View file

@ -1,78 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*",
"endgame-*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Creation or Modification of Domain Backup DPAPI private key",
"note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.",
"query": "file where event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n",
"references": [
"https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/",
"https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "file.name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access",
"Elastic Endgame"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1552",
"name": "Unsecured Credentials",
"reference": "https://attack.mitre.org/techniques/T1552/",
"subtechnique": [
{
"id": "T1552.004",
"name": "Private Keys",
"reference": "https://attack.mitre.org/techniques/T1552/004/"
}
]
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"reference": "https://attack.mitre.org/techniques/T1555/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 101
}

84
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_dump_registry_hives.json
View file

@ -1,84 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*",
"endgame-*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Credential Acquisition via Registry Hive Dumping",
"note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached\ncredentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the\ncompromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether\nthe user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "process where event.type == \"start\" and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n",
"references": [
"https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8",
"https://www.elastic.co/security-labs/detect-credential-access"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.pe.original_file_name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access",
"Investigation Guide",
"Elastic Endgame"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.002",
"name": "Security Account Manager",
"reference": "https://attack.mitre.org/techniques/T1003/002/"
},
{
"id": "T1003.004",
"name": "LSA Secrets",
"reference": "https://attack.mitre.org/techniques/T1003/004/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 102
}

71
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_dumping_hashes_bi_cmds.json
View file

@ -1,71 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Dumping Account Hashes via Built-In Commands",
"query": "event.category:process and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n",
"references": [
"https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored",
"https://www.unix.com/man-page/osx/8/mkpassdb/"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3",
"severity": "high",
"tags": [
"Elastic",
"Host",
"macOS",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
}

69
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_dumping_keychain_security.json
View file

@ -1,69 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Dumping of Keychain Content via Security Command",
"note": "",
"query": "process where event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n",
"references": [
"https://ss64.com/osx/security.html"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
"Host",
"macOS",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1555",
"name": "Credentials from Password Stores",
"reference": "https://attack.mitre.org/techniques/T1555/",
"subtechnique": [
{
"id": "T1555.001",
"name": "Keychain",
"reference": "https://attack.mitre.org/techniques/T1555/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 100
}

78
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_endgame_cred_dumping_detected.json
View file

@ -1,78 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
"from": "now-15m",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"max_signals": 10000,
"name": "Credential Dumping - Detected - Elastic Endgame",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n",
"required_fields": [
{
"ecs": false,
"name": "endgame.event_subtype_full",
"type": "unknown"
},
{
"ecs": false,
"name": "endgame.metadata.type",
"type": "unknown"
},
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.kind",
"type": "keyword"
},
{
"ecs": true,
"name": "event.module",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e",
"severity": "high",
"tags": [
"Elastic",
"Elastic Endgame",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.001",
"name": "LSASS Memory",
"reference": "https://attack.mitre.org/techniques/T1003/001/"
}
]
}
]
}
],
"type": "query",
"version": 100
}

78
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_endgame_cred_dumping_prevented.json
View file

@ -1,78 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
"from": "now-15m",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"max_signals": 10000,
"name": "Credential Dumping - Prevented - Elastic Endgame",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n",
"required_fields": [
{
"ecs": false,
"name": "endgame.event_subtype_full",
"type": "unknown"
},
{
"ecs": false,
"name": "endgame.metadata.type",
"type": "unknown"
},
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.kind",
"type": "keyword"
},
{
"ecs": true,
"name": "event.module",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13",
"severity": "medium",
"tags": [
"Elastic",
"Elastic Endgame",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.001",
"name": "LSASS Memory",
"reference": "https://attack.mitre.org/techniques/T1003/001/"
}
]
}
]
}
],
"type": "query",
"version": 100
}

95
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_generic_localdumps.json
View file

@ -1,95 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Full User-Mode Dumps Enabled System-Wide",
"query": "registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\" and\n registry.data.strings : (\"2\", \"0x00000002\") and\n not (process.executable : \"?:\\\\Windows\\\\system32\\\\svchost.exe\" and user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"))\n",
"references": [
"https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps",
"https://github.com/deepinstinct/Lsass-Shtinkering",
"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf"
],
"required_fields": [
{
"ecs": true,
"name": "process.executable",
"type": "keyword"
},
{
"ecs": true,
"name": "registry.data.strings",
"type": "wildcard"
},
{
"ecs": true,
"name": "registry.path",
"type": "keyword"
},
{
"ecs": true,
"name": "user.id",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "220be143-5c67-4fdb-b6ce-dd6826d024fd",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.001",
"name": "LSASS Memory",
"reference": "https://attack.mitre.org/techniques/T1003/001/"
}
]
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1112",
"name": "Modify Registry",
"reference": "https://attack.mitre.org/techniques/T1112/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

96
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_iam_user_addition_to_group.json
View file

@ -1,96 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).",
"false_positives": [
"Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"from": "now-60m",
"index": [
"filebeat-*",
"logs-aws*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS IAM User Addition to Group",
"note": "## Triage and analysis\n\n### Investigating AWS IAM User Addition to Group\n\nAWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify\nwho can access which services and resources, and under which conditions. With IAM policies, you manage permissions to\nyour workforce and systems to ensure least-privilege permissions.\n\nThis rule looks for the addition of users to a specified user group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher\nconfidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions \u2014 to\nreduce noise from onboarding processes and administrator activities.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other\nIAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success\n",
"references": [
"https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"
],
"related_integrations": [
{
"integration": "cloudtrail",
"package": "aws",
"version": "^1.5.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
},
{
"ecs": true,
"name": "event.provider",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0",
"setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "low",
"tags": [
"Elastic",
"Cloud",
"AWS",
"Continuous Monitoring",
"SecOps",
"Identity and Access",
"Credential Access",
"Persistence",
"Investigation Guide"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": []
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0003",
"name": "Persistence",
"reference": "https://attack.mitre.org/tactics/TA0003/"
},
"technique": [
{
"id": "T1098",
"name": "Account Manipulation",
"reference": "https://attack.mitre.org/techniques/T1098/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 103
}

76
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_iis_apppoolsa_pwd_appcmd.json
View file

@ -1,76 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*",
"endgame-*"
],
"language": "eql",
"license": "Elastic License v2",
"max_signals": 33,
"name": "Microsoft IIS Service Account Password Dumped",
"note": "",
"query": "process where event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n",
"references": [
"https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.pe.original_file_name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access",
"Elastic Endgame"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 102
}

77
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_iis_connectionstrings_dumping.json
View file

@ -1,77 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*",
"endgame-*"
],
"language": "eql",
"license": "Elastic License v2",
"max_signals": 33,
"name": "Microsoft IIS Connection Strings Decryption",
"note": "",
"query": "process where event.type == \"start\" and\n (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n",
"references": [
"https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.pe.original_file_name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access",
"Elastic Endgame"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 102
}

89
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_kerberoasting_unusual_process.json
View file

File diff suppressed because one or more lines are too long

83
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_kerberosdump_kcc.json
View file

@ -1,83 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Kerberos Cached Credentials Dumping",
"query": "event.category:process and event.type:(start or process_started) and\n process.name:kcc and\n process.args:copy_cred_cache\n",
"references": [
"https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py",
"https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe",
"severity": "high",
"tags": [
"Elastic",
"Host",
"macOS",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/"
},
{
"id": "T1558",
"name": "Steal or Forge Kerberos Tickets",
"reference": "https://attack.mitre.org/techniques/T1558/",
"subtechnique": [
{
"id": "T1558.003",
"name": "Kerberoasting",
"reference": "https://attack.mitre.org/techniques/T1558/003/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
}

87
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_key_vault_modified.json
View file

@ -1,87 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.",
"false_positives": [
"Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"from": "now-25m",
"index": [
"filebeat-*",
"logs-azure*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Azure Key Vault Modified",
"note": "",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)\n",
"references": [
"https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
"https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault",
"https://www.elastic.co/security-labs/detect-credential-access"
],
"related_integrations": [
{
"integration": "activitylogs",
"package": "azure",
"version": "^1.0.0"
}
],
"required_fields": [
{
"ecs": false,
"name": "azure.activitylogs.operation_name",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec",
"setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"Azure",
"Continuous Monitoring",
"SecOps",
"Data Protection"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1552",
"name": "Unsecured Credentials",
"reference": "https://attack.mitre.org/techniques/T1552/",
"subtechnique": [
{
"id": "T1552.001",
"name": "Credentials In Files",
"reference": "https://attack.mitre.org/techniques/T1552/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 102
}

97
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_keychain_pwd_retrieval_security_cmd.json
View file

@ -1,97 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.",
"false_positives": [
"Applications for password management."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Keychain Password Retrieval via Command Line",
"note": "",
"query": "process where event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n",
"references": [
"https://www.netmeister.org/blog/keychain-passwords.html",
"https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py",
"https://ss64.com/osx/security.html",
"https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.executable",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
"Host",
"macOS",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1555",
"name": "Credentials from Password Stores",
"reference": "https://attack.mitre.org/techniques/T1555/",
"subtechnique": [
{
"id": "T1555.001",
"name": "Keychain",
"reference": "https://attack.mitre.org/techniques/T1555/001/"
}
]
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"reference": "https://attack.mitre.org/techniques/T1555/",
"subtechnique": [
{
"id": "T1555.003",
"name": "Credentials from Web Browsers",
"reference": "https://attack.mitre.org/techniques/T1555/003/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 100
}

75
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_ldap_attributes.json
View file

@ -1,75 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-system.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Access to a Sensitive LDAP Attribute",
"note": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```",
"query": "any where event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n )\n",
"references": [
"https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming",
"https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.code",
"type": "keyword"
},
{
"ecs": false,
"name": "winlog.event_data.Properties",
"type": "unknown"
},
{
"ecs": false,
"name": "winlog.event_data.SubjectUserSid",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66",
"setup": "",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access",
"Active Directory"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

85
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_lsass_handle_via_malseclogon.json
View file

@ -1,85 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Suspicious LSASS Access via MalSecLogon",
"note": "",
"query": "process where event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n",
"references": [
"https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"
],
"required_fields": [
{
"ecs": true,
"name": "event.code",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": false,
"name": "winlog.event_data.CallTrace",
"type": "unknown"
},
{
"ecs": false,
"name": "winlog.event_data.GrantedAccess",
"type": "unknown"
},
{
"ecs": false,
"name": "winlog.event_data.TargetImage",
"type": "unknown"
}
],
"risk_score": 73,
"rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access",
"Sysmon Only"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.001",
"name": "LSASS Memory",
"reference": "https://attack.mitre.org/techniques/T1003/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 101
}

80
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_lsass_memdump_file_created.json
View file

@ -1,80 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*",
"endgame-*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "LSASS Memory Dump Creation",
"note": "",
"query": "file where file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\", \"?:\\\\Windows\\\\System32\\\\dllhost.exe\") and\n file.path : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\")) and\n\n not (process.executable : \"?:\\\\WINDOWS\\\\system32\\\\WerFault.exe\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\")\n",
"references": [
"https://github.com/outflanknl/Dumpert",
"https://github.com/hoangprod/AndrewSpecial"
],
"required_fields": [
{
"ecs": true,
"name": "file.name",
"type": "keyword"
},
{
"ecs": true,
"name": "file.path",
"type": "keyword"
},
{
"ecs": true,
"name": "process.executable",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access",
"Elastic Endgame"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.001",
"name": "LSASS Memory",
"reference": "https://attack.mitre.org/techniques/T1003/001/"
}
]
}
]
}
],
"timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"timeline_title": "Comprehensive File Timeline",
"timestamp_override": "event.ingested",
"type": "eql",
"version": 101
}

95
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_lsass_memdump_handle_access.json
View file

File diff suppressed because one or more lines are too long

67
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_mfa_push_brute_force.json
View file

@ -1,67 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.",
"index": [
"filebeat-*",
"logs-okta*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential Abuse of Repeated MFA Push Notifications",
"note": "",
"query": "sequence by user.email with maxspan=10m\n [any where event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.module == \"okta\" and event.action == \"user.authentication.sso\"]\n",
"references": [
"https://www.mandiant.com/resources/russian-targeting-gov-business",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.module",
"type": "keyword"
},
{
"ecs": true,
"name": "user.email",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7",
"setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "high",
"tags": [
"Elastic",
"Identity",
"Okta",
"Continuous Monitoring",
"SecOps",
"Identity and Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/"
}
]
}
],
"type": "eql",
"version": 101
}

94
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_microsoft_365_brute_force_user_account_attempt.json
View file

@ -1,94 +0,0 @@
{
"author": [
"Elastic",
"Willem D'Haese",
"Austin Songer"
],
"description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.",
"false_positives": [
"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
],
"from": "now-30m",
"index": [
"filebeat-*",
"logs-o365*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Attempts to Brute Force a Microsoft 365 User Account",
"note": "",
"query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo)\n",
"references": [
"https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"
],
"related_integrations": [
{
"package": "o365",
"version": "^1.3.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.provider",
"type": "keyword"
},
{
"ecs": false,
"name": "o365.audit.LogonError",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d",
"setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "high",
"tags": [
"Elastic",
"Cloud",
"Microsoft 365",
"Continuous Monitoring",
"SecOps",
"Identity and Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/"
}
]
}
],
"threshold": {
"field": [
"user.id"
],
"value": 10
},
"type": "threshold",
"version": 101
}

84
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_microsoft_365_potential_password_spraying_attack.json
View file

@ -1,84 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.",
"false_positives": [
"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
],
"from": "now-30m",
"index": [
"filebeat-*",
"logs-o365*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Potential Password Spraying of Microsoft 365 User Accounts",
"note": "",
"query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n",
"related_integrations": [
{
"package": "o365",
"version": "^1.3.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.provider",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d",
"setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "high",
"tags": [
"Elastic",
"Cloud",
"Microsoft 365",
"Continuous Monitoring",
"SecOps",
"Identity and Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/"
}
]
}
],
"threshold": {
"field": [
"source.ip"
],
"value": 25
},
"type": "threshold",
"version": 101
}

66
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_mimikatz_memssp_default_logs.json
View file

@ -1,66 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the password log file from the default Mimikatz memssp module.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*",
"endgame-*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Mimikatz Memssp Log File Detected",
"note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached\ncredentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained\nan initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects\nsuch as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp\nmodule, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer\naccount password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is\n being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "file where file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n",
"references": [
"https://www.elastic.co/security-labs/detect-credential-access"
],
"required_fields": [
{
"ecs": true,
"name": "file.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access",
"Investigation Guide",
"Elastic Endgame"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 102
}

72
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_mimikatz_powershell_module.json
View file

@ -1,72 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Potential Invoke-Mimikatz PowerShell Script",
"note": "## Triage and analysis\n\n### Investigating Mimikatz PowerShell Activity\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached\ncredentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained\nan initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects\nsuch as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump\ncredentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be\ntreated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the\n \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the\ntarget host.\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide\nthis capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).",
"query": "event.category:process and\npowershell.file.script_block_text:(\n (DumpCreds and\n DumpCerts) or\n \"sekurlsa::logonpasswords\" or\n (\"crypto::certificates\" and\n \"CERT_SYSTEM_STORE_LOCAL_MACHINE\")\n)\n",
"references": [
"https://attack.mitre.org/software/S0002/",
"https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1",
"https://www.elastic.co/security-labs/detect-credential-access"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": false,
"name": "powershell.file.script_block_text",
"type": "unknown"
}
],
"risk_score": 73,
"rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46",
"setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access",
"Investigation Guide"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.001",
"name": "LSASS Memory",
"reference": "https://attack.mitre.org/techniques/T1003/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 102
}

79
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_mitm_localhost_webproxy.json
View file

@ -1,79 +0,0 @@
{
"author": [
"Elastic"
],
"description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.",
"false_positives": [
"Legitimate WebProxy Settings Modification"
],
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "WebProxy Settings Modification",
"query": "event.category : process and event.type : start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n \"/usr/libexec/xpcproxy\")\n",
"references": [
"https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/",
"https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.executable",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"macOS",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"reference": "https://attack.mitre.org/techniques/T1539/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
}

47
x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/credential_access_ml_auth_spike_in_failed_logon_events.json
View file

@ -1,47 +0,0 @@
{
"anomaly_threshold": 75,
"author": [
"Elastic"
],
"description": "A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.",
"false_positives": [
"A misconfigured service account can trigger this alert. A password change on an account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
],
"from": "now-30m",
"interval": "15m",
"license": "Elastic License v2",
"machine_learning_job_id": "auth_high_count_logon_fails",
"name": "Spike in Failed Logon Events",
"references": [
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
],
"risk_score": 21,
"rule_id": "99dcf974-6587-4f65-9252-d866a3fdfd9c",
"severity": "low",
"tags": [
"Elastic",
"Authentication",
"Threat Detection",
"ML",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/"
}
]
}
],
"type": "machine_learning",
"version": 100
}

Some files were not shown because too many files have changed in this diff Show more