mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 09:48:58 -04:00
* 78 rules populated rules with a package from the siem-rules repo * Update index.ts * Update rule.ts adjust rule count to 145 Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Garrett Spong <spong@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
This commit is contained in:
The SpaceCake Project
GitHub
parent
211d4c405b
commit
c7243c7217
145 changed files with 999 additions and 212 deletions
|
|
@ -21,4 +21,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,4 +21,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,4 +17,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,4 +17,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,4 +17,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,4 +17,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,4 +17,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,4 +17,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,4 +17,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,4 +17,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,4 +17,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,4 +17,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,4 +17,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,4 +17,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,4 +17,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,4 +17,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -47,4 +47,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,4 +35,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,4 +35,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -50,4 +50,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
],
|
||||
"language": "kuery",
|
||||
"name": "Unusual Network Connection via RunDLL32",
|
||||
"query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
|
||||
"query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8)",
|
||||
"risk_score": 21,
|
||||
"rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886",
|
||||
"severity": "low",
|
||||
|
|
@ -31,5 +31,5 @@
|
|||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
"version": 3
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -53,88 +53,105 @@ import rule43 from './linux_anomalous_network_service.json';
|
|||
import rule44 from './linux_anomalous_network_url_activity.json';
|
||||
import rule45 from './linux_anomalous_process_all_hosts.json';
|
||||
import rule46 from './linux_anomalous_user_name.json';
|
||||
import rule47 from './linux_hping_activity.json';
|
||||
import rule48 from './linux_iodine_activity.json';
|
||||
import rule49 from './linux_kernel_module_activity.json';
|
||||
import rule50 from './linux_mknod_activity.json';
|
||||
import rule51 from './linux_netcat_network_connection.json';
|
||||
import rule52 from './linux_nmap_activity.json';
|
||||
import rule53 from './linux_nping_activity.json';
|
||||
import rule54 from './linux_process_started_in_temp_directory.json';
|
||||
import rule55 from './linux_shell_activity_by_web_server.json';
|
||||
import rule56 from './linux_socat_activity.json';
|
||||
import rule57 from './linux_strace_activity.json';
|
||||
import rule58 from './linux_tcpdump_activity.json';
|
||||
import rule59 from './linux_whoami_commmand.json';
|
||||
import rule60 from './network_dns_directly_to_the_internet.json';
|
||||
import rule61 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json';
|
||||
import rule62 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json';
|
||||
import rule63 from './network_nat_traversal_port_activity.json';
|
||||
import rule64 from './network_port_26_activity.json';
|
||||
import rule65 from './network_port_8000_activity_to_the_internet.json';
|
||||
import rule66 from './network_pptp_point_to_point_tunneling_protocol_activity.json';
|
||||
import rule67 from './network_proxy_port_activity_to_the_internet.json';
|
||||
import rule68 from './network_rdp_remote_desktop_protocol_from_the_internet.json';
|
||||
import rule69 from './network_rdp_remote_desktop_protocol_to_the_internet.json';
|
||||
import rule70 from './network_rpc_remote_procedure_call_from_the_internet.json';
|
||||
import rule71 from './network_rpc_remote_procedure_call_to_the_internet.json';
|
||||
import rule72 from './network_smb_windows_file_sharing_activity_to_the_internet.json';
|
||||
import rule73 from './network_smtp_to_the_internet.json';
|
||||
import rule74 from './network_sql_server_port_activity_to_the_internet.json';
|
||||
import rule75 from './network_ssh_secure_shell_from_the_internet.json';
|
||||
import rule76 from './network_ssh_secure_shell_to_the_internet.json';
|
||||
import rule77 from './network_telnet_port_activity.json';
|
||||
import rule78 from './network_tor_activity_to_the_internet.json';
|
||||
import rule79 from './network_vnc_virtual_network_computing_from_the_internet.json';
|
||||
import rule80 from './network_vnc_virtual_network_computing_to_the_internet.json';
|
||||
import rule81 from './null_user_agent.json';
|
||||
import rule82 from './packetbeat_dns_tunneling.json';
|
||||
import rule83 from './packetbeat_rare_dns_question.json';
|
||||
import rule84 from './packetbeat_rare_server_domain.json';
|
||||
import rule85 from './packetbeat_rare_urls.json';
|
||||
import rule86 from './packetbeat_rare_user_agent.json';
|
||||
import rule87 from './rare_process_by_host_linux.json';
|
||||
import rule88 from './rare_process_by_host_windows.json';
|
||||
import rule89 from './sqlmap_user_agent.json';
|
||||
import rule90 from './suspicious_login_activity.json';
|
||||
import rule91 from './windows_anomalous_network_activity.json';
|
||||
import rule92 from './windows_anomalous_path_activity.json';
|
||||
import rule93 from './windows_anomalous_process_all_hosts.json';
|
||||
import rule94 from './windows_anomalous_process_creation.json';
|
||||
import rule95 from './windows_anomalous_script.json';
|
||||
import rule96 from './windows_anomalous_service.json';
|
||||
import rule97 from './windows_anomalous_user_name.json';
|
||||
import rule98 from './windows_certutil_network_connection.json';
|
||||
import rule99 from './windows_command_prompt_connecting_to_the_internet.json';
|
||||
import rule100 from './windows_command_shell_started_by_powershell.json';
|
||||
import rule101 from './windows_command_shell_started_by_svchost.json';
|
||||
import rule102 from './windows_credential_dumping_msbuild.json';
|
||||
import rule103 from './windows_cve_2020_0601.json';
|
||||
import rule104 from './windows_defense_evasion_via_filter_manager.json';
|
||||
import rule105 from './windows_execution_msbuild_started_by_office_app.json';
|
||||
import rule106 from './windows_execution_msbuild_started_by_script.json';
|
||||
import rule107 from './windows_execution_msbuild_started_by_system_process.json';
|
||||
import rule108 from './windows_execution_msbuild_started_renamed.json';
|
||||
import rule109 from './windows_execution_msbuild_started_unusal_process.json';
|
||||
import rule110 from './windows_execution_via_compiled_html_file.json';
|
||||
import rule111 from './windows_execution_via_net_com_assemblies.json';
|
||||
import rule112 from './windows_execution_via_trusted_developer_utilities.json';
|
||||
import rule113 from './windows_html_help_executable_program_connecting_to_the_internet.json';
|
||||
import rule114 from './windows_injection_msbuild.json';
|
||||
import rule115 from './windows_misc_lolbin_connecting_to_the_internet.json';
|
||||
import rule116 from './windows_modification_of_boot_config.json';
|
||||
import rule117 from './windows_msxsl_network.json';
|
||||
import rule118 from './windows_net_command_system_account.json';
|
||||
import rule119 from './windows_persistence_via_application_shimming.json';
|
||||
import rule120 from './windows_priv_escalation_via_accessibility_features.json';
|
||||
import rule121 from './windows_process_discovery_via_tasklist_command.json';
|
||||
import rule122 from './windows_rare_user_runas_event.json';
|
||||
import rule123 from './windows_rare_user_type10_remote_login.json';
|
||||
import rule124 from './windows_register_server_program_connecting_to_the_internet.json';
|
||||
import rule125 from './windows_suspicious_pdf_reader.json';
|
||||
import rule126 from './windows_uac_bypass_event_viewer.json';
|
||||
import rule127 from './windows_whoami_command_activity.json';
|
||||
|
||||
import rule47 from './linux_attempt_to_disable_iptables_or_firewall.json';
|
||||
import rule48 from './linux_attempt_to_disable_syslog_service.json';
|
||||
import rule49 from './linux_base16_or_base32_encoding_or_decoding_activity.json';
|
||||
import rule50 from './linux_base64_encoding_or_decoding_activity.json';
|
||||
import rule51 from './linux_disable_selinux_attempt.json';
|
||||
import rule52 from './linux_file_deletion_via_shred.json';
|
||||
import rule53 from './linux_file_mod_writable_dir.json';
|
||||
import rule54 from './linux_hex_encoding_or_decoding_activity.json';
|
||||
import rule55 from './linux_hping_activity.json';
|
||||
import rule56 from './linux_iodine_activity.json';
|
||||
import rule57 from './linux_kernel_module_activity.json';
|
||||
import rule58 from './linux_kernel_module_enumeration.json';
|
||||
import rule59 from './linux_kernel_module_removal.json';
|
||||
import rule60 from './linux_mknod_activity.json';
|
||||
import rule61 from './linux_netcat_network_connection.json';
|
||||
import rule62 from './linux_nmap_activity.json';
|
||||
import rule63 from './linux_nping_activity.json';
|
||||
import rule64 from './linux_perl_tty_shell.json';
|
||||
import rule65 from './linux_process_started_in_temp_directory.json';
|
||||
import rule66 from './linux_python_tty_shell.json';
|
||||
import rule67 from './linux_setgid_bit_set_via_chmod.json';
|
||||
import rule68 from './linux_setuid_bit_set_via_chmod.json';
|
||||
import rule69 from './linux_shell_activity_by_web_server.json';
|
||||
import rule70 from './linux_socat_activity.json';
|
||||
import rule71 from './linux_strace_activity.json';
|
||||
import rule72 from './linux_sudoers_file_mod.json';
|
||||
import rule73 from './linux_tcpdump_activity.json';
|
||||
import rule74 from './linux_telnet_network_activity_external.json';
|
||||
import rule75 from './linux_telnet_network_activity_internal.json';
|
||||
import rule76 from './linux_virtual_machine_fingerprinting.json';
|
||||
import rule77 from './linux_whoami_commmand.json';
|
||||
import rule78 from './network_dns_directly_to_the_internet.json';
|
||||
import rule79 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json';
|
||||
import rule80 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json';
|
||||
import rule81 from './network_nat_traversal_port_activity.json';
|
||||
import rule82 from './network_port_26_activity.json';
|
||||
import rule83 from './network_port_8000_activity_to_the_internet.json';
|
||||
import rule84 from './network_pptp_point_to_point_tunneling_protocol_activity.json';
|
||||
import rule85 from './network_proxy_port_activity_to_the_internet.json';
|
||||
import rule86 from './network_rdp_remote_desktop_protocol_from_the_internet.json';
|
||||
import rule87 from './network_rdp_remote_desktop_protocol_to_the_internet.json';
|
||||
import rule88 from './network_rpc_remote_procedure_call_from_the_internet.json';
|
||||
import rule89 from './network_rpc_remote_procedure_call_to_the_internet.json';
|
||||
import rule90 from './network_smb_windows_file_sharing_activity_to_the_internet.json';
|
||||
import rule91 from './network_smtp_to_the_internet.json';
|
||||
import rule92 from './network_sql_server_port_activity_to_the_internet.json';
|
||||
import rule93 from './network_ssh_secure_shell_from_the_internet.json';
|
||||
import rule94 from './network_ssh_secure_shell_to_the_internet.json';
|
||||
import rule95 from './network_telnet_port_activity.json';
|
||||
import rule96 from './network_tor_activity_to_the_internet.json';
|
||||
import rule97 from './network_vnc_virtual_network_computing_from_the_internet.json';
|
||||
import rule98 from './network_vnc_virtual_network_computing_to_the_internet.json';
|
||||
import rule99 from './null_user_agent.json';
|
||||
import rule100 from './packetbeat_dns_tunneling.json';
|
||||
import rule101 from './packetbeat_rare_dns_question.json';
|
||||
import rule102 from './packetbeat_rare_server_domain.json';
|
||||
import rule103 from './packetbeat_rare_urls.json';
|
||||
import rule104 from './packetbeat_rare_user_agent.json';
|
||||
import rule105 from './rare_process_by_host_linux.json';
|
||||
import rule106 from './rare_process_by_host_windows.json';
|
||||
import rule107 from './sqlmap_user_agent.json';
|
||||
import rule108 from './suspicious_login_activity.json';
|
||||
import rule109 from './windows_anomalous_network_activity.json';
|
||||
import rule110 from './windows_anomalous_path_activity.json';
|
||||
import rule111 from './windows_anomalous_process_all_hosts.json';
|
||||
import rule112 from './windows_anomalous_process_creation.json';
|
||||
import rule113 from './windows_anomalous_script.json';
|
||||
import rule114 from './windows_anomalous_service.json';
|
||||
import rule115 from './windows_anomalous_user_name.json';
|
||||
import rule116 from './windows_certutil_network_connection.json';
|
||||
import rule117 from './windows_command_prompt_connecting_to_the_internet.json';
|
||||
import rule118 from './windows_command_shell_started_by_powershell.json';
|
||||
import rule119 from './windows_command_shell_started_by_svchost.json';
|
||||
import rule120 from './windows_credential_dumping_msbuild.json';
|
||||
import rule121 from './windows_cve_2020_0601.json';
|
||||
import rule122 from './windows_defense_evasion_via_filter_manager.json';
|
||||
import rule123 from './windows_execution_msbuild_started_by_office_app.json';
|
||||
import rule124 from './windows_execution_msbuild_started_by_script.json';
|
||||
import rule125 from './windows_execution_msbuild_started_by_system_process.json';
|
||||
import rule126 from './windows_execution_msbuild_started_renamed.json';
|
||||
import rule127 from './windows_execution_msbuild_started_unusal_process.json';
|
||||
import rule128 from './windows_execution_via_compiled_html_file.json';
|
||||
import rule129 from './windows_execution_via_net_com_assemblies.json';
|
||||
import rule130 from './windows_execution_via_trusted_developer_utilities.json';
|
||||
import rule131 from './windows_html_help_executable_program_connecting_to_the_internet.json';
|
||||
import rule132 from './windows_injection_msbuild.json';
|
||||
import rule133 from './windows_misc_lolbin_connecting_to_the_internet.json';
|
||||
import rule134 from './windows_modification_of_boot_config.json';
|
||||
import rule135 from './windows_msxsl_network.json';
|
||||
import rule136 from './windows_net_command_system_account.json';
|
||||
import rule137 from './windows_persistence_via_application_shimming.json';
|
||||
import rule138 from './windows_priv_escalation_via_accessibility_features.json';
|
||||
import rule139 from './windows_process_discovery_via_tasklist_command.json';
|
||||
import rule140 from './windows_rare_user_runas_event.json';
|
||||
import rule141 from './windows_rare_user_type10_remote_login.json';
|
||||
import rule142 from './windows_register_server_program_connecting_to_the_internet.json';
|
||||
import rule143 from './windows_suspicious_pdf_reader.json';
|
||||
import rule144 from './windows_uac_bypass_event_viewer.json';
|
||||
import rule145 from './windows_whoami_command_activity.json';
|
||||
export const rawRules = [
|
||||
rule1,
|
||||
rule2,
|
||||
|
|
@ -263,4 +280,22 @@ export const rawRules = [
|
|||
rule125,
|
||||
rule126,
|
||||
rule127,
|
||||
rule128,
|
||||
rule129,
|
||||
rule130,
|
||||
rule131,
|
||||
rule132,
|
||||
rule133,
|
||||
rule134,
|
||||
rule135,
|
||||
rule136,
|
||||
rule137,
|
||||
rule138,
|
||||
rule139,
|
||||
rule140,
|
||||
rule141,
|
||||
rule142,
|
||||
rule143,
|
||||
rule144,
|
||||
rule145,
|
||||
];
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@
|
|||
"interval": "15m",
|
||||
"machine_learning_job_id": "linux_anomalous_network_activity_ecs",
|
||||
"name": "Unusual Linux Network Activity",
|
||||
"note": "### Investigating Unusual Network Activity ###\nSignals from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? \n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
|
||||
"references": [
|
||||
"https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
|
||||
],
|
||||
|
|
@ -20,6 +21,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"note": "### Investigating Unusual Network Activity ###\nSignals from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? \n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
|
||||
"version": 1
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,4 +21,4 @@
|
|||
],
|
||||
"type": "machine_learning",
|
||||
"version": 1
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,4 +21,4 @@
|
|||
],
|
||||
"type": "machine_learning",
|
||||
"version": 1
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,4 +21,4 @@
|
|||
],
|
||||
"type": "machine_learning",
|
||||
"version": 1
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@
|
|||
"interval": "15m",
|
||||
"machine_learning_job_id": "linux_anomalous_process_all_hosts_ecs",
|
||||
"name": "Anomalous Process For a Linux Population",
|
||||
"note": "### Investigating an Unusual Linux Process ###\nSignals from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
|
||||
"references": [
|
||||
"https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
|
||||
],
|
||||
|
|
@ -20,6 +21,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"note": "### Investigating an Unusual Linux Process ###\nSignals from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
|
||||
"version": 1
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@
|
|||
"interval": "15m",
|
||||
"machine_learning_job_id": "linux_anomalous_user_name_ecs",
|
||||
"name": "Unusual Linux Username",
|
||||
"note": "### Investigating an Unusual Linux User ###\nSignals from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.",
|
||||
"references": [
|
||||
"https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
|
||||
],
|
||||
|
|
@ -20,6 +21,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"note": "### Investigating an Unusual Linux User ###\nSignals from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.",
|
||||
"version": 1
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,35 @@
|
|||
{
|
||||
"description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.",
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"name": "Attempt to Disable IPTables or Firewall",
|
||||
"query": "event.action:(executed or process_started) and (process.name:service and process.args:stop or process.name:chkconfig and process.args:off) and process.args:(ip6tables or iptables) or process.name:systemctl and process.args:(firewalld and (disable or stop or kill))",
|
||||
"risk_score": 47,
|
||||
"rule_id": "125417b8-d3df-479f-8418-12d7e034fee3",
|
||||
"severity": "medium",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0005",
|
||||
"name": "Defense Evasion",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0005/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1089",
|
||||
"name": "Disabling Security Tools",
|
||||
"reference": "https://attack.mitre.org/techniques/T1089/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
{
|
||||
"description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.",
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"name": "Attempt to Disable Syslog Service",
|
||||
"query": "event.action:(executed or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")",
|
||||
"risk_score": 47,
|
||||
"rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194",
|
||||
"severity": "medium",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0005",
|
||||
"name": "Defense Evasion",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0005/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1089",
|
||||
"name": "Disabling Security Tools",
|
||||
"reference": "https://attack.mitre.org/techniques/T1089/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,53 @@
|
|||
{
|
||||
"description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.",
|
||||
"false_positives": [
|
||||
"Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
|
||||
],
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"name": "Base16 or Base32 Encoding/Decoding Activity",
|
||||
"query": "event.action:(executed or process_started) and process.name:(base16 or base32 or base32plain or base32hex)",
|
||||
"risk_score": 21,
|
||||
"rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795",
|
||||
"severity": "low",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0005",
|
||||
"name": "Defense Evasion",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0005/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1140",
|
||||
"name": "Deobfuscate/Decode Files or Information",
|
||||
"reference": "https://attack.mitre.org/techniques/T1140/"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0005",
|
||||
"name": "Defense Evasion",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0005/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1027",
|
||||
"name": "Obfuscated Files or Information",
|
||||
"reference": "https://attack.mitre.org/techniques/T1027/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,53 @@
|
|||
{
|
||||
"description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.",
|
||||
"false_positives": [
|
||||
"Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
|
||||
],
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"name": "Base64 Encoding/Decoding Activity",
|
||||
"query": "event.action:(executed or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem)",
|
||||
"risk_score": 21,
|
||||
"rule_id": "97f22dab-84e8-409d-955e-dacd1d31670b",
|
||||
"severity": "low",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0005",
|
||||
"name": "Defense Evasion",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0005/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1140",
|
||||
"name": "Deobfuscate/Decode Files or Information",
|
||||
"reference": "https://attack.mitre.org/techniques/T1140/"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0005",
|
||||
"name": "Defense Evasion",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0005/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1027",
|
||||
"name": "Obfuscated Files or Information",
|
||||
"reference": "https://attack.mitre.org/techniques/T1027/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
{
|
||||
"description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.",
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"name": "Potential Disabling of SELinux",
|
||||
"query": "event.action:executed and process.name:setenforce and process.args:0",
|
||||
"risk_score": 47,
|
||||
"rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e",
|
||||
"severity": "medium",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0005",
|
||||
"name": "Defense Evasion",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0005/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1089",
|
||||
"name": "Disabling Security Tools",
|
||||
"reference": "https://attack.mitre.org/techniques/T1089/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
{
|
||||
"description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.",
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"name": "File Deletion via Shred",
|
||||
"query": "event.action:(executed or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")",
|
||||
"risk_score": 21,
|
||||
"rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4",
|
||||
"severity": "low",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0005",
|
||||
"name": "Defense Evasion",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0005/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1107",
|
||||
"name": "File Deletion",
|
||||
"reference": "https://attack.mitre.org/techniques/T1107/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
{
|
||||
"description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.",
|
||||
"false_positives": [
|
||||
"Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."
|
||||
],
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"name": "File Permission Modification in Writable Directory",
|
||||
"query": "event.action:executed and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root",
|
||||
"risk_score": 21,
|
||||
"rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4",
|
||||
"severity": "low",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0005",
|
||||
"name": "Defense Evasion",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0005/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1222",
|
||||
"name": "File and Directory Permissions Modification",
|
||||
"reference": "https://attack.mitre.org/techniques/T1222/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,53 @@
|
|||
{
|
||||
"description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.",
|
||||
"false_positives": [
|
||||
"Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
|
||||
],
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"name": "Hex Encoding/Decoding Activity",
|
||||
"query": "event.action:(executed or process_started) and process.name:(hex or xxd)",
|
||||
"risk_score": 21,
|
||||
"rule_id": "a9198571-b135-4a76-b055-e3e5a476fd83",
|
||||
"severity": "low",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0005",
|
||||
"name": "Defense Evasion",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0005/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1140",
|
||||
"name": "Deobfuscate/Decode Files or Information",
|
||||
"reference": "https://attack.mitre.org/techniques/T1140/"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0005",
|
||||
"name": "Defense Evasion",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0005/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1027",
|
||||
"name": "Obfuscated Files or Information",
|
||||
"reference": "https://attack.mitre.org/techniques/T1027/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -21,4 +21,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,4 +21,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -38,4 +38,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,38 @@
|
|||
{
|
||||
"description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.",
|
||||
"false_positives": [
|
||||
"Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."
|
||||
],
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"name": "Enumeration of Kernel Modules",
|
||||
"query": "event.action:executed and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))",
|
||||
"risk_score": 47,
|
||||
"rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504",
|
||||
"severity": "medium",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0007",
|
||||
"name": "Discovery",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0007/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1082",
|
||||
"name": "System Information Discovery",
|
||||
"reference": "https://attack.mitre.org/techniques/T1082/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,56 @@
|
|||
{
|
||||
"description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.",
|
||||
"false_positives": [
|
||||
"There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."
|
||||
],
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"name": "Kernel Module Removal",
|
||||
"query": "event.action:executed and process.args:(rmmod and sudo or modprobe and sudo and (\"--remove\" or \"-r\"))",
|
||||
"references": [
|
||||
"http://man7.org/linux/man-pages/man8/modprobe.8.html"
|
||||
],
|
||||
"risk_score": 73,
|
||||
"rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef",
|
||||
"severity": "high",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0005",
|
||||
"name": "Defense Evasion",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0005/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1089",
|
||||
"name": "Disabling Security Tools",
|
||||
"reference": "https://attack.mitre.org/techniques/T1089/"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0003",
|
||||
"name": "Persistence",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0003/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1215",
|
||||
"name": "Kernel Modules and Extensions",
|
||||
"reference": "https://attack.mitre.org/techniques/T1215/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -21,4 +21,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,4 +23,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,4 +21,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,4 +21,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,35 @@
|
|||
{
|
||||
"description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.",
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"name": "Interactive Terminal Spawned via Perl",
|
||||
"query": "event.action:executed and process.name:perl and process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")",
|
||||
"risk_score": 73,
|
||||
"rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3",
|
||||
"severity": "high",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0002",
|
||||
"name": "Execution",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0002/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1059",
|
||||
"name": "Command-Line Interface",
|
||||
"reference": "https://attack.mitre.org/techniques/T1059/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -18,4 +18,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,35 @@
|
|||
{
|
||||
"description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.",
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"name": "Interactive Terminal Spawned via Python",
|
||||
"query": "event.action:executed and process.name:python and process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or \"import pty; pty.spawn(\\\"/bin/bash\\\")\")",
|
||||
"risk_score": 73,
|
||||
"rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f",
|
||||
"severity": "high",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0002",
|
||||
"name": "Execution",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0002/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1059",
|
||||
"name": "Command-Line Interface",
|
||||
"reference": "https://attack.mitre.org/techniques/T1059/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
{
|
||||
"description": "An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.",
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "lucene",
|
||||
"max_signals": 33,
|
||||
"name": "Setgid Bit Set via chmod",
|
||||
"query": "event.action:(executed OR process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root",
|
||||
"risk_score": 21,
|
||||
"rule_id": "3a86e085-094c-412d-97ff-2439731e59cb",
|
||||
"severity": "low",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0004",
|
||||
"name": "Privilege Escalation",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0004/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1166",
|
||||
"name": "Setuid and Setgid",
|
||||
"reference": "https://attack.mitre.org/techniques/T1166/"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0004",
|
||||
"name": "Persistence",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0004/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1166",
|
||||
"name": "Setuid and Setgid",
|
||||
"reference": "https://attack.mitre.org/techniques/T1166/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
{
|
||||
"description": "An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.",
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "lucene",
|
||||
"max_signals": 33,
|
||||
"name": "Setuid Bit Set via chmod",
|
||||
"query": "event.action:(executed OR process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root",
|
||||
"risk_score": 21,
|
||||
"rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a",
|
||||
"severity": "low",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0004",
|
||||
"name": "Privilege Escalation",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0004/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1166",
|
||||
"name": "Setuid and Setgid",
|
||||
"reference": "https://attack.mitre.org/techniques/T1166/"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0004",
|
||||
"name": "Persistence",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0004/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1166",
|
||||
"name": "Setuid and Setgid",
|
||||
"reference": "https://attack.mitre.org/techniques/T1166/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -8,7 +8,7 @@
|
|||
],
|
||||
"language": "kuery",
|
||||
"name": "Potential Shell via Web Server",
|
||||
"query": "process.name:bash and user.name:(apache or www or www-data) and event.action:executed",
|
||||
"query": "process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\") and event.action:executed",
|
||||
"references": [
|
||||
"https://pentestlab.blog/tag/web-shell/"
|
||||
],
|
||||
|
|
@ -37,5 +37,5 @@
|
|||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
"version": 3
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,4 +21,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,4 +21,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,35 @@
|
|||
{
|
||||
"description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.",
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"name": "Sudoers File Modification",
|
||||
"query": "event.module:file_integrity and event.action:updated and file.path:/etc/sudoers",
|
||||
"risk_score": 21,
|
||||
"rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4",
|
||||
"severity": "low",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0004",
|
||||
"name": "Privilege Escalation",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0004/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1169",
|
||||
"name": "Sudo",
|
||||
"reference": "https://attack.mitre.org/techniques/T1169/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -50,4 +50,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,38 @@
|
|||
{
|
||||
"description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.",
|
||||
"false_positives": [
|
||||
"Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
|
||||
],
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"name": "Connection to External Network via Telnet",
|
||||
"query": "event.action:(\"connected-to\" or \"network_flow\") and process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\" or \"::1/128\")",
|
||||
"risk_score": 47,
|
||||
"rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362",
|
||||
"severity": "medium",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0008",
|
||||
"name": "Lateral Movement",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0008/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1021",
|
||||
"name": "Remote Services",
|
||||
"reference": "https://attack.mitre.org/techniques/T1021/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
{
|
||||
"description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.",
|
||||
"false_positives": [
|
||||
"Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
|
||||
],
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"name": "Connection to Internal Network via Telnet",
|
||||
"query": "event.action:(\"connected-to\" or \"network_flow\") and process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\") and not (127.0.0.0/8 or \"::1/128\"))",
|
||||
"risk_score": 47,
|
||||
"rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973",
|
||||
"severity": "medium",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0008",
|
||||
"name": "Lateral Movement",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0008/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1021",
|
||||
"name": "Remote Services",
|
||||
"reference": "https://attack.mitre.org/techniques/T1021/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
{
|
||||
"description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.",
|
||||
"false_positives": [
|
||||
"Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."
|
||||
],
|
||||
"index": [
|
||||
"auditbeat-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"name": "Virtual Machine Fingerprinting",
|
||||
"query": "event.action:executed and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root",
|
||||
"risk_score": 73,
|
||||
"rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba",
|
||||
"severity": "high",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Linux"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0007",
|
||||
"name": "Discovery",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0007/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1082",
|
||||
"name": "System Information Discovery",
|
||||
"reference": "https://attack.mitre.org/techniques/T1082/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -35,4 +35,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,4 +39,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -50,4 +50,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -50,4 +50,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,4 +35,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -54,4 +54,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,4 +35,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,4 +35,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,4 +35,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -65,4 +65,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -50,4 +50,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -47,4 +47,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -50,4 +50,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,4 +35,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -65,4 +65,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,4 +35,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -65,4 +65,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -50,4 +50,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -50,4 +50,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,4 +35,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 3
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,4 +39,4 @@
|
|||
],
|
||||
"type": "query",
|
||||
"version": 2
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,4 +21,4 @@
|
|||
],
|
||||
"type": "machine_learning",
|
||||
"version": 1
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue