github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 09:48:58 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Detection Rules] Add 7.14 rules (#104772)

Browse source
This commit is contained in:
Ross Wolf 2021-07-07 17:58:20 -06:00 committed by GitHub
parent dea450c5c4
commit 85c93b84e4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 396 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

59
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disabling_windows_defender_powershell.json Normal file
View file

@ -0,0 +1,59 @@
{
"author": [
"Elastic"
],
"description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.",
"false_positives": [
"Planned Windows Defender configuration changes."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Disabling Windows Defender Security Settings via PowerShell",
"query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n",
"references": [
"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"
],
"risk_score": 47,
"rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

56
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_enable_network_discovery_with_netsh.json Normal file
View file

@ -0,0 +1,56 @@
{
"author": [
"Elastic"
],
"description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.",
"false_positives": [
"Host Windows Firewall planned system administration changes."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Enable Host Network Discovery via Netsh",
"query": "process where event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n",
"risk_score": 47,
"rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

59
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_windefend_unusual_path.json Normal file
View file

@ -0,0 +1,59 @@
{
"author": [
"Elastic"
],
"description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.",
"false_positives": [
"Microsoft Antimalware Service Executable installed on non default installation path."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"query": "process where event.type == \"start\" and\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\"))\n",
"references": [
"https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"
],
"risk_score": 73,
"rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1574",
"name": "Hijack Execution Flow",
"reference": "https://attack.mitre.org/techniques/T1574/",
"subtechnique": [
{
"id": "T1574.002",
"name": "DLL Side-Loading",
"reference": "https://attack.mitre.org/techniques/T1574/002/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_vm_export_failure.json
View file

@ -16,7 +16,7 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS EC2 VM Export Failure",
"note": "## Config\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n",
"references": [
"https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"
@ -66,5 +66,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

16
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts
View file

@ -562,7 +562,14 @@ import rule549 from './ml_auth_rare_user_logon.json';
import rule550 from './ml_auth_spike_in_failed_logon_events.json';
import rule551 from './ml_auth_spike_in_logon_events.json';
import rule552 from './ml_auth_spike_in_logon_events_from_a_source_ip.json';
import rule553 from './persistence_via_bits_job_notify_command.json';
import rule553 from './privilege_escalation_printspooler_malicious_driver_file_changes.json';
import rule554 from './privilege_escalation_printspooler_malicious_registry_modification.json';
import rule555 from './privilege_escalation_printspooler_suspicious_file_deletion.json';
import rule556 from './privilege_escalation_unusual_printspooler_childprocess.json';
import rule557 from './defense_evasion_disabling_windows_defender_powershell.json';
import rule558 from './defense_evasion_enable_network_discovery_with_netsh.json';
import rule559 from './defense_evasion_execution_windefend_unusual_path.json';
import rule560 from './persistence_via_bits_job_notify_command.json';
export const rawRules = [
rule1,
@ -1118,4 +1125,11 @@ export const rawRules = [
rule551,
rule552,
rule553,
rule554,
rule555,
rule556,
rule557,
rule558,
rule559,
rule560,
];

50
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_malicious_driver_file_changes.json Normal file
View file

@ -0,0 +1,50 @@
{
"author": [
"Elastic"
],
"description": "Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential PrintNightmare File Modification",
"query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nfile where process.name : \"spoolsv.exe\" and \n file.name : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*\"\n",
"references": [
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://github.com/afwu/PrintNightmare"
],
"risk_score": 73,
"rule_id": "5e87f165-45c2-4b80-bfa5-52822552c997",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Privilege Escalation"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"reference": "https://attack.mitre.org/techniques/T1068/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

49
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_malicious_registry_modification.json Normal file
View file

@ -0,0 +1,49 @@
{
"author": [
"Elastic"
],
"description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential PrintNightmare Exploit Registry Modification",
"query": "/* This rule is not compatible with Sysmon due to schema issues */\n\nregistry where process.name : \"spoolsv.exe\" and\n (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\mimikatz*\\\\Data File\" or\n (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\*\\\\Configuration File\" and\n registry.data.strings : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\")))\n",
"references": [
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://github.com/afwu/PrintNightmare"
],
"risk_score": 73,
"rule_id": "6506c9fd-229e-4722-8f0f-69be759afd2a",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Privilege Escalation"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"reference": "https://attack.mitre.org/techniques/T1068/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

53
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_file_deletion.json Normal file
View file

@ -0,0 +1,53 @@
{
"author": [
"Elastic"
],
"description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.",
"false_positives": [
"Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Suspicious Print Spooler File Deletion",
"query": "file where event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n",
"references": [
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://github.com/afwu/PrintNightmare"
],
"risk_score": 47,
"rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Privilege Escalation"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"reference": "https://attack.mitre.org/techniques/T1068/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

53
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_printspooler_childprocess.json Normal file
View file

@ -0,0 +1,53 @@
{
"author": [
"Elastic"
],
"description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.",
"false_positives": [
"Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Unusual Print Spooler Child Process",
"query": "process where event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and user.id : \"S-1-5-18\" and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\")\n",
"references": [
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://github.com/afwu/PrintNightmare"
],
"risk_score": 47,
"rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Privilege Escalation"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"reference": "https://attack.mitre.org/techniques/T1068/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}