github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 09:48:58 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Detection Rules] Add 8.0 rules (#121045)

Browse source 
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This commit is contained in:
Justin Ibarra 2021-12-13 12:05:17 -09:00 committed by GitHub
parent 35739880a6
commit f4f10ac88f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
42 changed files with 1659 additions and 342 deletions
Download patch file Download diff file Expand all files Collapse all files

6
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_audio_capture.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "Detects PowerShell Scripts that can record audio, a common feature in popular post-exploitation tooling.",
"description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.",
"from": "now-9m",
"index": [
"winlogbeat-*",
@ -11,7 +11,7 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"query": "event.code:\"4104\" and \n powershell.file.script_block_text : (\n Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA)\n )\n",
"query": "event.category:process and \n powershell.file.script_block_text : (\n Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA)\n )\n",
"references": [
"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"
],
@ -66,5 +66,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

78
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_keylogger.json Normal file
View file

@ -0,0 +1,78 @@
{
"author": [
"Elastic"
],
"description": "Detects the use of Win32 API Functions that can be used to capture user Keystrokes in PowerShell Scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "PowerShell Keylogging Script",
"query": "event.category:process and \n ( \n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or Get-Keystrokes) or \n powershell.file.script_block_text : ((SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and (GetForegroundWindow or GetWindowTextA or GetWindowTextW or WM_KEYBOARD_LL))\n )\n",
"references": [
"https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1",
"https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"
],
"risk_score": 73,
"rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Collection"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1056",
"name": "Input Capture",
"reference": "https://attack.mitre.org/techniques/T1056/",
"subtechnique": [
{
"id": "T1056.001",
"name": "Keylogging",
"reference": "https://attack.mitre.org/techniques/T1056/001/"
}
]
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"reference": "https://attack.mitre.org/techniques/T1059/",
"subtechnique": [
{
"id": "T1059.001",
"name": "PowerShell",
"reference": "https://attack.mitre.org/techniques/T1059/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json
View file

@ -13,7 +13,7 @@
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "lucene",
"language": "kuery",
"license": "Elastic License v2",
"name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
@ -52,5 +52,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 8
"version": 9
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_posh_minidump.json
View file

@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "PowerShell MiniDump Script",
"query": "event.code:\"4104\" and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)\n",
"query": "event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)\n",
"references": [
"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1",
"https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1"
@ -77,5 +77,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_potential_lsa_memdump_via_mirrordump.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump Lsass memory for credential access.",
"description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.",
"from": "now-9m",
"index": [
"winlogbeat-*",
@ -51,5 +51,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
"version": 2
}

56
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_comsvcs_imageload.json Normal file
View file

@ -0,0 +1,56 @@
{
"author": [
"Elastic"
],
"description": "Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in preparation for credential access.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential Credential Access via Renamed COM+ Services DLL",
"note": "## Config\n\nYou will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.",
"query": "sequence by process.entity_id with maxspan=1m\n [process where event.category == \"process\" and\n process.name : \"rundll32.exe\"]\n [process where event.category == \"process\" and event.dataset : \"windows.sysmon_operational\" and event.code == \"7\" and\n (file.pe.original_file_name : \"COMSVCS.DLL\" or file.pe.imphash : \"EADBCCBB324829ACB5F2BBE87E5549A8\") and\n /* renamed COMSVCS */\n not file.name : \"COMSVCS.DLL\"]\n",
"references": [
"https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"
],
"risk_score": 73,
"rule_id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.001",
"name": "LSASS Memory",
"reference": "https://attack.mitre.org/techniques/T1003/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

55
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_lsass_access_memdump.json Normal file
View file

@ -0,0 +1,55 @@
{
"author": [
"Elastic"
],
"description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preperation for credential access.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential Credential Access via LSASS Memory Dump",
"query": "process where event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n \n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbhelp*\", \"*dbgcore*\") and\n \n /* case of lsass crashing */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\")\n",
"references": [
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz"
],
"risk_score": 73,
"rule_id": "9960432d-9b26-409f-972b-839a959e79e2",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.001",
"name": "LSASS Memory",
"reference": "https://attack.mitre.org/techniques/T1003/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

69
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_lsass_access_via_snapshot.json Normal file
View file

@ -0,0 +1,69 @@
{
"author": [
"Elastic"
],
"description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process access are performed by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"note": "## Config\n\nThis is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.",
"query": "event.category:process and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n",
"references": [
"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
"https://twitter.com/sbousseaden/status/1280619931516747777?lang=en"
],
"risk_score": 73,
"rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.001",
"name": "LSASS Memory",
"reference": "https://attack.mitre.org/techniques/T1003/001/"
}
]
}
]
}
],
"threshold": {
"cardinality": [
{
"field": "winlog.event_data.TargetProcessId",
"value": 2
}
],
"field": [
"process.entity_id"
],
"value": 2
},
"timestamp_override": "event.ingested",
"type": "threshold",
"version": 1
}

57
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_via_snapshot_lsass_clone_creation.json Normal file
View file

@ -0,0 +1,57 @@
{
"author": [
"Elastic"
],
"description": "Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"note": "## Config\n\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.",
"query": "process where event.code:\"4688\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\"\n",
"references": [
"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
"https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2"
],
"risk_score": 73,
"rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/",
"subtechnique": [
{
"id": "T1003.001",
"name": "LSASS Memory",
"reference": "https://attack.mitre.org/techniques/T1003/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

58
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_console_history.json Normal file
View file

@ -0,0 +1,58 @@
{
"author": [
"Austin Songer"
],
"description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Clearing Windows Console History",
"query": "process where event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n",
"references": [
"https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/",
"https://www.shellhacks.com/clear-history-powershell/",
"https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"
],
"risk_score": 47,
"rule_id": "b5877334-677f-4fb9-86d5-a9721274223b",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1070",
"name": "Indicator Removal on Host",
"reference": "https://attack.mitre.org/techniques/T1070/",
"subtechnique": [
{
"id": "T1070.003",
"name": "Clear Command History",
"reference": "https://attack.mitre.org/techniques/T1070/003/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_exclusion_via_powershell.json
View file

@ -13,7 +13,7 @@
"license": "Elastic License v2",
"name": "Windows Defender Exclusions Added via PowerShell",
"note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions\n\nMicrosoft Windows Defender is an anti-virus product built-in within Microsoft Windows. Since this software product is\nused to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration\nsettings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more\nnotable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defense to avoid detection.\n\n#### Possible investigation steps:\n- With this specific rule, it's completely possible to trigger detections on network administrative activity or benign users\nusing scripting and PowerShell to configure the different exclusions for Windows Defender. Therefore, it's important to\nidentify the source of the activity first and determine if there is any mal-intent behind the events.\n- The actual exclusion such as the process, the file or directory should be reviewed in order to determine the original\nintent behind the exclusion. Is the excluded file or process malicious in nature or is it related to software that needs\nto be legitimately whitelisted from Windows Defender?\n\n### False Positive Analysis\n- This rule has a higher chance to produce false positives based on the nature around configuring exclusions by possibly\na network administrator. In order to validate the activity further, review the specific exclusion made and determine based\non the exclusion of the original intent behind the exclusion. There are often many legitimate reasons why exclusions are made\nwith Windows Defender so it's important to gain context around the exclusion.\n\n### Related Rules\n- Windows Defender Disabled via Registry Modification\n- Disabling Windows Defender Security Settings via PowerShell\n\n### Response and Remediation\n- Since this is related to post-exploitation activity, immediate response should be taken to review, investigate and\npotentially isolate further activity\n- If further analysis showed malicious intent was behind the Defender exclusions, administrators should remove\nthe exclusion and ensure antimalware capability has not been disabled or deleted\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review\n",
"query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*-Exclusion*\", \"*Set-MpPreference*-Exclusion*\")\n",
"query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n",
"references": [
"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"
],
@ -80,5 +80,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 4
"version": 5
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dns_over_https_enabled.json
View file

@ -2,7 +2,7 @@
"author": [
"Austin Songer"
],
"description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.",
"description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.",
"from": "now-9m",
"index": [
"winlogbeat-*",
@ -46,5 +46,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
"version": 2
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_control_panel_suspicious_args.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse Control.exe to proxy execution of malicious code.",
"description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
@ -52,5 +52,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
"version": 2
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_kubernetes_events_deleted.json
View file

@ -2,7 +2,7 @@
"author": [
"Austin Songer"
],
"description": "Identifies when Events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.",
"description": "Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.",
"false_positives": [
"Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
@ -56,5 +56,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

82
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_posh_assembly_load.json Normal file
View file

@ -0,0 +1,82 @@
{
"author": [
"Elastic"
],
"description": "This rule detects the use of Reflection.Assembly to load PEs and DLLs in memory in Powershell Scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Suspicious .NET Reflection via PowerShell",
"query": "event.category:process and \n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n )\n",
"references": [
"https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"
],
"risk_score": 73,
"rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1055",
"name": "Process Injection",
"reference": "https://attack.mitre.org/techniques/T1055/",
"subtechnique": [
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"reference": "https://attack.mitre.org/techniques/T1055/001/"
},
{
"id": "T1055.002",
"name": "Portable Executable Injection",
"reference": "https://attack.mitre.org/techniques/T1055/002/"
}
]
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"reference": "https://attack.mitre.org/techniques/T1059/",
"subtechnique": [
{
"id": "T1059.001",
"name": "PowerShell",
"reference": "https://attack.mitre.org/techniques/T1059/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
}

65
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_posh_process_injection.json Normal file
View file

@ -0,0 +1,65 @@
{
"author": [
"Elastic"
],
"description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.",
"false_positives": [
"Legitimate Powershell Scripts that make use of these Functions"
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Potential Process Injection via PowerShell",
"query": "event.category:process and \n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread)\n )\n",
"references": [
"https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1",
"https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1",
"https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1"
],
"risk_score": 73,
"rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1055",
"name": "Process Injection",
"reference": "https://attack.mitre.org/techniques/T1055/",
"subtechnique": [
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"reference": "https://attack.mitre.org/techniques/T1055/001/"
},
{
"id": "T1055.002",
"name": "Portable Executable Injection",
"reference": "https://attack.mitre.org/techniques/T1055/002/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
}

62
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_powershell_windows_firewall_disabled.json Normal file
View file

@ -0,0 +1,62 @@
{
"author": [
"Austin Songer"
],
"description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which attackers do to evade network constraints, like internet and network lateral communication restrictions.",
"false_positives": [
"Windows Firewall can be disabled may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Windows Firewall Disabled via PowerShell",
"query": "process where event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"*Set-NetFirewallProfile*\" and\n (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n",
"references": [
"https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps",
"https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell",
"http://powershellhelp.space/commands/set-netfirewallrule-psv5.php",
"http://woshub.com/manage-windows-firewall-powershell/"
],
"risk_score": 47,
"rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"reference": "https://attack.mitre.org/techniques/T1562/004/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

7
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_certutil_commands.json
View file

@ -1,6 +1,7 @@
{
"author": [
"Elastic"
"Elastic",
"Austin Songer"
],
"description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.",
"from": "now-9m",
@ -12,7 +13,7 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Suspicious CertUtil Commands",
"query": "process where event.type == \"start\" and\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and \n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\")\n",
"query": "process where event.type == \"start\" and\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and \n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n",
"references": [
"https://twitter.com/Moriarty_Meng/status/984380793383370752",
"https://twitter.com/egre55/status/1087685529016193025",
@ -48,5 +49,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 9
"version": 10
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_process_access_direct_syscall.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "Identifies suspicious process access events from unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.",
"description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.",
"from": "now-9m",
"index": [
"winlogbeat-*",
@ -45,5 +45,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
"version": 2
}

45
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_process_creation_calltrace.json Normal file
View file

@ -0,0 +1,45 @@
{
"author": [
"Elastic"
],
"description": "Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection or hollowing attempt.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Suspicious Process Creation CallTrace",
"query": "sequence by host.id with maxspan=1m\n [process where event.code == \"1\" and\n /* sysmon process creation */\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"mshta.exe\",\n \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\")] by process.parent.entity_id, process.entity_id\n [process where event.code == \"10\" and\n /* Sysmon process access event from unknown module */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n",
"risk_score": 43,
"rule_id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1055",
"name": "Process Injection",
"reference": "https://attack.mitre.org/techniques/T1055/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

2
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_whitespace_padding_in_command_line.json
View file

@ -40,5 +40,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 2
"version": 4
}

6
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_posh_suspicious_api_functions.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "This rule detects the use of discovery-related Windows API Functions in Powershell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.,",
"description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.",
"false_positives": [
"Legitimate Powershell Scripts that make use of these Functions"
],
@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "PowerShell Suspicious Discovery Related Windows API Functions",
"query": "event.code:\"4104\" and \n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity\n )\n",
"query": "event.category:process and \n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity\n )\n",
"references": [
"https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413"
],
@ -86,5 +86,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

53
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_privileged_localgroup_membership.json Normal file
View file

@ -0,0 +1,53 @@
{
"author": [
"Elastic"
],
"description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Enumeration of Privileged Local Groups Membership",
"note": "## Config\n\nThis will require Windows security event 4799 by enabling audit success for the windows Account Management category and\nthe Security Group Management subcategory.\n",
"query": "iam where event.action == \"user-member-enumerated\" and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\") and\n /* privileged local groups */\n (group.name:(\"admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n",
"risk_score": 43,
"rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Discovery"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0007",
"name": "Discovery",
"reference": "https://attack.mitre.org/tactics/TA0007/"
},
"technique": [
{
"id": "T1069",
"name": "Permission Groups Discovery",
"reference": "https://attack.mitre.org/techniques/T1069/",
"subtechnique": [
{
"id": "T1069.001",
"name": "Local Groups",
"reference": "https://attack.mitre.org/techniques/T1069/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_ransomware_detected.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "Elastic Endgame detected Ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
"description": "Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
"from": "now-15m",
"index": [
"endgame-*"
@ -20,5 +20,5 @@
"Elastic Endgame"
],
"type": "query",
"version": 6
"version": 7
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_ransomware_prevented.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "Elastic Endgame prevented Ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
"description": "Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
"from": "now-15m",
"index": [
"endgame-*"
@ -20,5 +20,5 @@
"Elastic Endgame"
],
"type": "query",
"version": 6
"version": 7
}

6
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_posh_portable_executable.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "This rule detects the presence of Portable Executables in a PowerShell Script by Looking for its encoded header. Attackers embed PEs into PowerShell Scripts for Injecting them into the memory, avoiding defenses by not writing to disk.,",
"description": "Detects the presence of portable executables (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts for injecting them into the memory, avoiding defenses by not writing to disk.",
"from": "now-9m",
"index": [
"winlogbeat-*",
@ -11,7 +11,7 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "Suspicious Portable Executable Encoded in Powershell Script",
"query": "event.code:\"4104\" and \n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n )\n",
"query": "event.category:process and \n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n )\n",
"risk_score": 47,
"rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a",
"severity": "medium",
@ -48,5 +48,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

13
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_jar_child_process.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "Identifies suspicious child processes of a Java Archive (JAR) file. JAR files may be used to deliver malware in order to evade detection.",
"description": "Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.",
"from": "now-9m",
"index": [
"auditbeat-*",
@ -10,8 +10,13 @@
],
"language": "eql",
"license": "Elastic License v2",
"name": "Suspicious JAR Child Process",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"java\" and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\") and\n process.args : \"-jar\" and process.args : \"*.jar\" and\n /* Add any FP's here */\n not process.executable : (\"/Users/*/.sdkman/*\", \"/Library/Java/JavaVirtualMachines/*\") and\n not process.args : (\"/usr/local/*\", \"/Users/*/github.com/*\", \"/Users/*/src/*\")\n",
"name": "Suspicious JAVA Child Process",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"java\" and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\")\n",
"references": [
"https://www.lunasec.io/docs/blog/log4j-zero-day/",
"https://github.com/christophetd/log4shell-vulnerable-app",
"https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf"
],
"risk_score": 47,
"rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150",
"severity": "medium",
@ -49,5 +54,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 2
"version": 3
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_restored.json
View file

@ -2,7 +2,7 @@
"author": [
"Austin Songer"
],
"description": "Identifies when an attempt was made to restored RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.",
"description": "Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.",
"false_positives": [
"Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot restoration from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
@ -43,5 +43,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_aws_eventbridge_rule_disabled_or_deleted.json
View file

@ -2,7 +2,7 @@
"author": [
"Austin Songer"
],
"description": "Identifies when a user disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or breaking the flow with other AWS services.",
"description": "Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.",
"false_positives": [
"EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
@ -44,5 +44,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_backup_file_deletion.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a Ransomware attack is less likely.",
"description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.",
"false_positives": [
"Certain utilities that delete files for disk cleanup or Administrators manually removing backup files."
],
@ -48,5 +48,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
"version": 2
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_created.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "Identifies when a Virtual Private Cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.",
"description": "Identifies when a Virtual Private Cloud a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.",
"false_positives": [
"Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
],
@ -32,5 +32,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 5
"version": 6
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_kubernetes_pod_deleted.json
View file

@ -2,7 +2,7 @@
"author": [
"Austin Songer"
],
"description": "Identifies the deletion of Azure Kubernetes Pods. Adversary may delete a kubernetes pod to disrupt the normal behavior of the environment.",
"description": "Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment.",
"false_positives": [
"Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
@ -43,5 +43,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_microsoft_365_potential_ransomware_activity.json
View file

@ -2,7 +2,7 @@
"author": [
"Austin Songer"
],
"description": "Identifies when Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.",
"description": "Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.",
"false_positives": [
"If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process."
],
@ -50,5 +50,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

608
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts
View file

@ -331,293 +331,310 @@ import rule318 from './defense_evasion_execution_lolbas_wuauclt.json';
import rule319 from './privilege_escalation_unusual_svchost_childproc_childless.json';
import rule320 from './command_and_control_rdp_tunnel_plink.json';
import rule321 from './privilege_escalation_uac_bypass_winfw_mmc_hijack.json';
import rule322 from './persistence_ms_office_addins_file.json';
import rule323 from './discovery_adfind_command_activity.json';
import rule324 from './discovery_security_software_wmic.json';
import rule325 from './execution_command_shell_via_rundll32.json';
import rule326 from './execution_suspicious_cmd_wmi.json';
import rule327 from './lateral_movement_via_startup_folder_rdp_smb.json';
import rule328 from './privilege_escalation_uac_bypass_com_interface_icmluautil.json';
import rule329 from './privilege_escalation_uac_bypass_mock_windir.json';
import rule330 from './defense_evasion_potential_processherpaderping.json';
import rule331 from './privilege_escalation_uac_bypass_dll_sideloading.json';
import rule332 from './execution_shared_modules_local_sxs_dll.json';
import rule333 from './privilege_escalation_uac_bypass_com_clipup.json';
import rule334 from './initial_access_via_explorer_suspicious_child_parent_args.json';
import rule335 from './execution_from_unusual_directory.json';
import rule336 from './execution_from_unusual_path_cmdline.json';
import rule337 from './credential_access_kerberoasting_unusual_process.json';
import rule338 from './discovery_peripheral_device.json';
import rule339 from './lateral_movement_mount_hidden_or_webdav_share_net.json';
import rule340 from './defense_evasion_deleting_websvr_access_logs.json';
import rule341 from './defense_evasion_log_files_deleted.json';
import rule342 from './defense_evasion_timestomp_touch.json';
import rule343 from './lateral_movement_dcom_hta.json';
import rule344 from './lateral_movement_execution_via_file_shares_sequence.json';
import rule345 from './privilege_escalation_uac_bypass_com_ieinstal.json';
import rule346 from './command_and_control_common_webservices.json';
import rule347 from './command_and_control_encrypted_channel_freesslcert.json';
import rule348 from './defense_evasion_process_termination_followed_by_deletion.json';
import rule349 from './lateral_movement_remote_file_copy_hidden_share.json';
import rule350 from './attempt_to_deactivate_okta_network_zone.json';
import rule351 from './attempt_to_delete_okta_network_zone.json';
import rule352 from './lateral_movement_dcom_mmc20.json';
import rule353 from './lateral_movement_dcom_shellwindow_shellbrowserwindow.json';
import rule354 from './okta_attempt_to_deactivate_okta_application.json';
import rule355 from './okta_attempt_to_delete_okta_application.json';
import rule356 from './okta_attempt_to_delete_okta_policy_rule.json';
import rule357 from './okta_attempt_to_modify_okta_application.json';
import rule358 from './persistence_administrator_role_assigned_to_okta_user.json';
import rule359 from './lateral_movement_executable_tool_transfer_smb.json';
import rule360 from './command_and_control_dns_tunneling_nslookup.json';
import rule361 from './lateral_movement_execution_from_tsclient_mup.json';
import rule362 from './lateral_movement_rdp_sharprdp_target.json';
import rule363 from './defense_evasion_clearing_windows_security_logs.json';
import rule364 from './persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json';
import rule365 from './execution_suspicious_short_program_name.json';
import rule366 from './lateral_movement_incoming_wmi.json';
import rule367 from './persistence_via_hidden_run_key_valuename.json';
import rule368 from './credential_access_potential_ssh_bruteforce.json';
import rule369 from './credential_access_promt_for_pwd_via_osascript.json';
import rule370 from './lateral_movement_remote_services.json';
import rule371 from './application_added_to_google_workspace_domain.json';
import rule372 from './domain_added_to_google_workspace_trusted_domains.json';
import rule373 from './execution_suspicious_image_load_wmi_ms_office.json';
import rule374 from './execution_suspicious_powershell_imgload.json';
import rule375 from './google_workspace_admin_role_deletion.json';
import rule376 from './google_workspace_mfa_enforcement_disabled.json';
import rule377 from './google_workspace_policy_modified.json';
import rule378 from './mfa_disabled_for_google_workspace_organization.json';
import rule379 from './persistence_evasion_registry_ifeo_injection.json';
import rule380 from './persistence_google_workspace_admin_role_assigned_to_user.json';
import rule381 from './persistence_google_workspace_custom_admin_role_created.json';
import rule382 from './persistence_google_workspace_role_modified.json';
import rule383 from './persistence_suspicious_image_load_scheduled_task_ms_office.json';
import rule384 from './defense_evasion_masquerading_trusted_directory.json';
import rule385 from './exfiltration_microsoft_365_exchange_transport_rule_creation.json';
import rule386 from './initial_access_microsoft_365_exchange_safelinks_disabled.json';
import rule387 from './microsoft_365_exchange_dkim_signing_config_disabled.json';
import rule388 from './persistence_appcertdlls_registry.json';
import rule389 from './persistence_appinitdlls_registry.json';
import rule390 from './persistence_registry_uncommon.json';
import rule391 from './persistence_run_key_and_startup_broad.json';
import rule392 from './persistence_services_registry.json';
import rule393 from './persistence_startup_folder_file_written_by_suspicious_process.json';
import rule394 from './persistence_startup_folder_scripts.json';
import rule395 from './persistence_suspicious_com_hijack_registry.json';
import rule396 from './persistence_via_lsa_security_support_provider_registry.json';
import rule397 from './defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json';
import rule398 from './defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json';
import rule399 from './defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json';
import rule400 from './exfiltration_microsoft_365_exchange_transport_rule_mod.json';
import rule401 from './initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json';
import rule402 from './initial_access_microsoft_365_exchange_anti_phish_rule_mod.json';
import rule403 from './lateral_movement_suspicious_rdp_client_imageload.json';
import rule404 from './persistence_runtime_run_key_startup_susp_procs.json';
import rule405 from './persistence_suspicious_scheduled_task_runtime.json';
import rule406 from './defense_evasion_microsoft_365_exchange_dlp_policy_removed.json';
import rule407 from './lateral_movement_scheduled_task_target.json';
import rule408 from './persistence_microsoft_365_exchange_management_role_assignment.json';
import rule409 from './persistence_microsoft_365_teams_guest_access_enabled.json';
import rule410 from './credential_access_dump_registry_hives.json';
import rule411 from './defense_evasion_scheduledjobs_at_protocol_enabled.json';
import rule412 from './persistence_ms_outlook_vba_template.json';
import rule413 from './persistence_suspicious_service_created_registry.json';
import rule414 from './privilege_escalation_named_pipe_impersonation.json';
import rule415 from './credential_access_cmdline_dump_tool.json';
import rule416 from './credential_access_copy_ntds_sam_volshadowcp_cmdline.json';
import rule417 from './credential_access_lsass_memdump_file_created.json';
import rule418 from './lateral_movement_incoming_winrm_shell_execution.json';
import rule419 from './lateral_movement_powershell_remoting_target.json';
import rule420 from './command_and_control_port_forwarding_added_registry.json';
import rule421 from './defense_evasion_hide_encoded_executable_registry.json';
import rule422 from './lateral_movement_rdp_enabled_registry.json';
import rule423 from './privilege_escalation_printspooler_registry_copyfiles.json';
import rule424 from './privilege_escalation_rogue_windir_environment_var.json';
import rule425 from './initial_access_scripts_process_started_via_wmi.json';
import rule426 from './command_and_control_iexplore_via_com.json';
import rule427 from './command_and_control_remote_file_copy_scripts.json';
import rule428 from './persistence_local_scheduled_task_scripting.json';
import rule429 from './persistence_startup_folder_file_written_by_unsigned_process.json';
import rule430 from './command_and_control_remote_file_copy_powershell.json';
import rule431 from './credential_access_microsoft_365_brute_force_user_account_attempt.json';
import rule432 from './microsoft_365_teams_custom_app_interaction_allowed.json';
import rule433 from './persistence_microsoft_365_teams_external_access_enabled.json';
import rule434 from './credential_access_microsoft_365_potential_password_spraying_attack.json';
import rule435 from './impact_stop_process_service_threshold.json';
import rule436 from './collection_winrar_encryption.json';
import rule437 from './defense_evasion_unusual_dir_ads.json';
import rule438 from './discovery_admin_recon.json';
import rule439 from './discovery_file_dir_discovery.json';
import rule440 from './discovery_net_view.json';
import rule441 from './discovery_remote_system_discovery_commands_windows.json';
import rule442 from './persistence_via_windows_management_instrumentation_event_subscription.json';
import rule443 from './execution_scripting_osascript_exec_followed_by_netcon.json';
import rule444 from './execution_shell_execution_via_apple_scripting.json';
import rule445 from './persistence_creation_change_launch_agents_file.json';
import rule446 from './persistence_creation_modif_launch_deamon_sequence.json';
import rule447 from './persistence_folder_action_scripts_runtime.json';
import rule448 from './persistence_login_logout_hooks_defaults.json';
import rule449 from './privilege_escalation_explicit_creds_via_scripting.json';
import rule450 from './command_and_control_sunburst_c2_activity_detected.json';
import rule451 from './defense_evasion_azure_application_credential_modification.json';
import rule452 from './defense_evasion_azure_service_principal_addition.json';
import rule453 from './defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json';
import rule454 from './execution_apt_solarwinds_backdoor_child_cmd_powershell.json';
import rule455 from './execution_apt_solarwinds_backdoor_unusual_child_processes.json';
import rule456 from './initial_access_azure_active_directory_powershell_signin.json';
import rule457 from './collection_email_powershell_exchange_mailbox.json';
import rule458 from './execution_scheduled_task_powershell_source.json';
import rule459 from './persistence_powershell_exch_mailbox_activesync_add_device.json';
import rule460 from './persistence_docker_shortcuts_plist_modification.json';
import rule461 from './persistence_evasion_hidden_local_account_creation.json';
import rule462 from './persistence_finder_sync_plugin_pluginkit.json';
import rule463 from './discovery_security_software_grep.json';
import rule464 from './credential_access_cookies_chromium_browsers_debugging.json';
import rule465 from './credential_access_ssh_backdoor_log.json';
import rule466 from './persistence_credential_access_modify_auth_module_or_config.json';
import rule467 from './persistence_credential_access_modify_ssh_binaries.json';
import rule468 from './credential_access_collection_sensitive_files.json';
import rule469 from './persistence_ssh_authorized_keys_modification.json';
import rule470 from './defense_evasion_defender_disabled_via_registry.json';
import rule471 from './defense_evasion_privacy_controls_tcc_database_modification.json';
import rule472 from './execution_initial_access_suspicious_browser_childproc.json';
import rule473 from './execution_script_via_automator_workflows.json';
import rule474 from './persistence_modification_sublime_app_plugin_or_script.json';
import rule475 from './privilege_escalation_applescript_with_admin_privs.json';
import rule476 from './credential_access_dumping_keychain_security.json';
import rule477 from './initial_access_azure_active_directory_high_risk_signin.json';
import rule478 from './initial_access_suspicious_mac_ms_office_child_process.json';
import rule479 from './credential_access_mitm_localhost_webproxy.json';
import rule480 from './persistence_kde_autostart_modification.json';
import rule481 from './persistence_user_account_added_to_privileged_group_ad.json';
import rule482 from './defense_evasion_attempt_to_disable_gatekeeper.json';
import rule483 from './defense_evasion_sandboxed_office_app_suspicious_zip_file.json';
import rule484 from './persistence_emond_rules_file_creation.json';
import rule485 from './persistence_emond_rules_process_execution.json';
import rule486 from './discovery_users_domain_built_in_commands.json';
import rule487 from './execution_pentest_eggshell_remote_admin_tool.json';
import rule488 from './defense_evasion_install_root_certificate.json';
import rule489 from './persistence_credential_access_authorization_plugin_creation.json';
import rule490 from './persistence_directory_services_plugins_modification.json';
import rule491 from './defense_evasion_modify_environment_launchctl.json';
import rule492 from './defense_evasion_safari_config_change.json';
import rule493 from './defense_evasion_apple_softupdates_modification.json';
import rule494 from './credential_access_mod_wdigest_security_provider.json';
import rule495 from './credential_access_saved_creds_vaultcmd.json';
import rule496 from './defense_evasion_file_creation_mult_extension.json';
import rule497 from './execution_enumeration_via_wmiprvse.json';
import rule498 from './execution_suspicious_jar_child_process.json';
import rule499 from './persistence_shell_profile_modification.json';
import rule500 from './persistence_suspicious_calendar_modification.json';
import rule501 from './persistence_time_provider_mod.json';
import rule502 from './privilege_escalation_exploit_adobe_acrobat_updater.json';
import rule503 from './defense_evasion_sip_provider_mod.json';
import rule504 from './execution_com_object_xwizard.json';
import rule505 from './privilege_escalation_disable_uac_registry.json';
import rule506 from './defense_evasion_unusual_ads_file_creation.json';
import rule507 from './persistence_loginwindow_plist_modification.json';
import rule508 from './persistence_periodic_tasks_file_mdofiy.json';
import rule509 from './persistence_via_atom_init_file_modification.json';
import rule510 from './privilege_escalation_lsa_auth_package.json';
import rule511 from './privilege_escalation_port_monitor_print_pocessor_abuse.json';
import rule512 from './credential_access_dumping_hashes_bi_cmds.json';
import rule513 from './lateral_movement_mounting_smb_share.json';
import rule514 from './privilege_escalation_echo_nopasswd_sudoers.json';
import rule515 from './privilege_escalation_ld_preload_shared_object_modif.json';
import rule516 from './privilege_escalation_root_crontab_filemod.json';
import rule517 from './defense_evasion_create_mod_root_certificate.json';
import rule518 from './privilege_escalation_sudo_buffer_overflow.json';
import rule519 from './execution_installer_spawned_network_event.json';
import rule520 from './initial_access_suspicious_ms_exchange_files.json';
import rule521 from './initial_access_suspicious_ms_exchange_process.json';
import rule522 from './initial_access_suspicious_ms_exchange_worker_child_process.json';
import rule523 from './persistence_evasion_registry_startup_shell_folder_modified.json';
import rule524 from './persistence_local_scheduled_job_creation.json';
import rule525 from './persistence_via_wmi_stdregprov_run_services.json';
import rule526 from './credential_access_persistence_network_logon_provider_modification.json';
import rule527 from './lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.json';
import rule528 from './collection_microsoft_365_new_inbox_rule.json';
import rule529 from './ml_high_count_network_denies.json';
import rule530 from './ml_high_count_network_events.json';
import rule531 from './ml_rare_destination_country.json';
import rule532 from './ml_spike_in_traffic_to_a_country.json';
import rule533 from './command_and_control_tunneling_via_earthworm.json';
import rule534 from './lateral_movement_evasion_rdp_shadowing.json';
import rule535 from './threat_intel_module_match.json';
import rule536 from './exfiltration_ec2_vm_export_failure.json';
import rule537 from './exfiltration_ec2_full_network_packet_capture_detected.json';
import rule538 from './impact_azure_service_principal_credentials_added.json';
import rule539 from './persistence_ec2_security_group_configuration_change_detection.json';
import rule540 from './defense_evasion_disabling_windows_logs.json';
import rule541 from './persistence_route_53_domain_transfer_lock_disabled.json';
import rule542 from './persistence_route_53_domain_transferred_to_another_account.json';
import rule543 from './initial_access_okta_user_attempted_unauthorized_access.json';
import rule544 from './credential_access_user_excessive_sso_logon_errors.json';
import rule545 from './persistence_exchange_suspicious_mailbox_right_delegation.json';
import rule546 from './privilege_escalation_new_or_modified_federation_domain.json';
import rule547 from './privilege_escalation_sts_assumerole_usage.json';
import rule548 from './privilege_escalation_sts_getsessiontoken_abuse.json';
import rule549 from './defense_evasion_suspicious_execution_from_mounted_device.json';
import rule550 from './defense_evasion_unusual_network_connection_via_dllhost.json';
import rule551 from './defense_evasion_amsienable_key_mod.json';
import rule552 from './impact_rds_group_deletion.json';
import rule553 from './persistence_rds_group_creation.json';
import rule554 from './persistence_route_table_created.json';
import rule555 from './persistence_route_table_modified_or_deleted.json';
import rule556 from './exfiltration_rds_snapshot_export.json';
import rule557 from './persistence_rds_instance_creation.json';
import rule558 from './privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.json';
import rule559 from './ml_auth_rare_hour_for_a_user_to_logon.json';
import rule560 from './ml_auth_rare_source_ip_for_a_user.json';
import rule561 from './ml_auth_rare_user_logon.json';
import rule562 from './ml_auth_spike_in_failed_logon_events.json';
import rule563 from './ml_auth_spike_in_logon_events.json';
import rule564 from './ml_auth_spike_in_logon_events_from_a_source_ip.json';
import rule565 from './privilege_escalation_cyberarkpas_error_audit_event_promotion.json';
import rule566 from './privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.json';
import rule567 from './defense_evasion_kubernetes_events_deleted.json';
import rule568 from './impact_kubernetes_pod_deleted.json';
import rule569 from './exfiltration_rds_snapshot_restored.json';
import rule570 from './privilege_escalation_printspooler_malicious_driver_file_changes.json';
import rule571 from './privilege_escalation_printspooler_malicious_registry_modification.json';
import rule572 from './privilege_escalation_printspooler_suspicious_file_deletion.json';
import rule573 from './privilege_escalation_unusual_printspooler_childprocess.json';
import rule574 from './defense_evasion_disabling_windows_defender_powershell.json';
import rule575 from './defense_evasion_enable_network_discovery_with_netsh.json';
import rule576 from './defense_evasion_execution_windefend_unusual_path.json';
import rule577 from './defense_evasion_agent_spoofing_mismatched_id.json';
import rule578 from './defense_evasion_agent_spoofing_multiple_hosts.json';
import rule579 from './defense_evasion_parent_process_pid_spoofing.json';
import rule580 from './impact_microsoft_365_potential_ransomware_activity.json';
import rule581 from './impact_microsoft_365_unusual_volume_of_file_deletion.json';
import rule582 from './initial_access_microsoft_365_user_restricted_from_sending_email.json';
import rule583 from './defense_evasion_elasticache_security_group_creation.json';
import rule584 from './defense_evasion_elasticache_security_group_modified_or_deleted.json';
import rule585 from './impact_volume_shadow_copy_deletion_via_powershell.json';
import rule586 from './persistence_route_53_hosted_zone_associated_with_a_vpc.json';
import rule587 from './defense_evasion_defender_exclusion_via_powershell.json';
import rule588 from './defense_evasion_dns_over_https_enabled.json';
import rule589 from './defense_evasion_whitespace_padding_in_command_line.json';
import rule590 from './defense_evasion_frontdoor_firewall_policy_deletion.json';
import rule591 from './credential_access_azure_full_network_packet_capture_detected.json';
import rule592 from './persistence_webshell_detection.json';
import rule593 from './impact_efs_filesystem_or_mount_deleted.json';
import rule594 from './defense_evasion_execution_control_panel_suspicious_args.json';
import rule595 from './defense_evasion_azure_blob_permissions_modified.json';
import rule596 from './privilege_escalation_aws_suspicious_saml_activity.json';
import rule597 from './credential_access_potential_lsa_memdump_via_mirrordump.json';
import rule598 from './discovery_virtual_machine_fingerprinting_grep.json';
import rule599 from './impact_backup_file_deletion.json';
import rule600 from './credential_access_posh_minidump.json';
import rule601 from './persistence_screensaver_engine_unexpected_child_process.json';
import rule602 from './persistence_screensaver_plist_file_modification.json';
import rule603 from './defense_evasion_suspicious_process_access_direct_syscall.json';
import rule604 from './discovery_posh_suspicious_api_functions.json';
import rule605 from './execution_posh_portable_executable.json';
import rule606 from './impact_aws_eventbridge_rule_disabled_or_deleted.json';
import rule607 from './collection_posh_audio_capture.json';
import rule608 from './persistence_via_bits_job_notify_command.json';
import rule322 from './discovery_privileged_localgroup_membership.json';
import rule323 from './persistence_ms_office_addins_file.json';
import rule324 from './discovery_adfind_command_activity.json';
import rule325 from './discovery_security_software_wmic.json';
import rule326 from './execution_command_shell_via_rundll32.json';
import rule327 from './execution_suspicious_cmd_wmi.json';
import rule328 from './lateral_movement_via_startup_folder_rdp_smb.json';
import rule329 from './privilege_escalation_uac_bypass_com_interface_icmluautil.json';
import rule330 from './privilege_escalation_uac_bypass_mock_windir.json';
import rule331 from './defense_evasion_potential_processherpaderping.json';
import rule332 from './privilege_escalation_uac_bypass_dll_sideloading.json';
import rule333 from './execution_shared_modules_local_sxs_dll.json';
import rule334 from './privilege_escalation_uac_bypass_com_clipup.json';
import rule335 from './initial_access_via_explorer_suspicious_child_parent_args.json';
import rule336 from './execution_from_unusual_directory.json';
import rule337 from './execution_from_unusual_path_cmdline.json';
import rule338 from './credential_access_kerberoasting_unusual_process.json';
import rule339 from './discovery_peripheral_device.json';
import rule340 from './lateral_movement_mount_hidden_or_webdav_share_net.json';
import rule341 from './defense_evasion_deleting_websvr_access_logs.json';
import rule342 from './defense_evasion_log_files_deleted.json';
import rule343 from './defense_evasion_timestomp_touch.json';
import rule344 from './lateral_movement_dcom_hta.json';
import rule345 from './lateral_movement_execution_via_file_shares_sequence.json';
import rule346 from './privilege_escalation_uac_bypass_com_ieinstal.json';
import rule347 from './command_and_control_common_webservices.json';
import rule348 from './command_and_control_encrypted_channel_freesslcert.json';
import rule349 from './defense_evasion_process_termination_followed_by_deletion.json';
import rule350 from './lateral_movement_remote_file_copy_hidden_share.json';
import rule351 from './attempt_to_deactivate_okta_network_zone.json';
import rule352 from './attempt_to_delete_okta_network_zone.json';
import rule353 from './lateral_movement_dcom_mmc20.json';
import rule354 from './lateral_movement_dcom_shellwindow_shellbrowserwindow.json';
import rule355 from './okta_attempt_to_deactivate_okta_application.json';
import rule356 from './okta_attempt_to_delete_okta_application.json';
import rule357 from './okta_attempt_to_delete_okta_policy_rule.json';
import rule358 from './okta_attempt_to_modify_okta_application.json';
import rule359 from './persistence_administrator_role_assigned_to_okta_user.json';
import rule360 from './lateral_movement_executable_tool_transfer_smb.json';
import rule361 from './command_and_control_dns_tunneling_nslookup.json';
import rule362 from './lateral_movement_execution_from_tsclient_mup.json';
import rule363 from './lateral_movement_rdp_sharprdp_target.json';
import rule364 from './defense_evasion_clearing_windows_security_logs.json';
import rule365 from './persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json';
import rule366 from './execution_suspicious_short_program_name.json';
import rule367 from './lateral_movement_incoming_wmi.json';
import rule368 from './persistence_via_hidden_run_key_valuename.json';
import rule369 from './credential_access_potential_ssh_bruteforce.json';
import rule370 from './credential_access_promt_for_pwd_via_osascript.json';
import rule371 from './lateral_movement_remote_services.json';
import rule372 from './application_added_to_google_workspace_domain.json';
import rule373 from './domain_added_to_google_workspace_trusted_domains.json';
import rule374 from './execution_suspicious_image_load_wmi_ms_office.json';
import rule375 from './execution_suspicious_powershell_imgload.json';
import rule376 from './google_workspace_admin_role_deletion.json';
import rule377 from './google_workspace_mfa_enforcement_disabled.json';
import rule378 from './google_workspace_policy_modified.json';
import rule379 from './mfa_disabled_for_google_workspace_organization.json';
import rule380 from './persistence_evasion_registry_ifeo_injection.json';
import rule381 from './persistence_google_workspace_admin_role_assigned_to_user.json';
import rule382 from './persistence_google_workspace_custom_admin_role_created.json';
import rule383 from './persistence_google_workspace_role_modified.json';
import rule384 from './persistence_suspicious_image_load_scheduled_task_ms_office.json';
import rule385 from './defense_evasion_masquerading_trusted_directory.json';
import rule386 from './exfiltration_microsoft_365_exchange_transport_rule_creation.json';
import rule387 from './initial_access_microsoft_365_exchange_safelinks_disabled.json';
import rule388 from './microsoft_365_exchange_dkim_signing_config_disabled.json';
import rule389 from './persistence_appcertdlls_registry.json';
import rule390 from './persistence_appinitdlls_registry.json';
import rule391 from './persistence_registry_uncommon.json';
import rule392 from './persistence_run_key_and_startup_broad.json';
import rule393 from './persistence_services_registry.json';
import rule394 from './persistence_startup_folder_file_written_by_suspicious_process.json';
import rule395 from './persistence_startup_folder_scripts.json';
import rule396 from './persistence_suspicious_com_hijack_registry.json';
import rule397 from './persistence_via_lsa_security_support_provider_registry.json';
import rule398 from './defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json';
import rule399 from './defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json';
import rule400 from './defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json';
import rule401 from './exfiltration_microsoft_365_exchange_transport_rule_mod.json';
import rule402 from './initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json';
import rule403 from './initial_access_microsoft_365_exchange_anti_phish_rule_mod.json';
import rule404 from './lateral_movement_suspicious_rdp_client_imageload.json';
import rule405 from './persistence_runtime_run_key_startup_susp_procs.json';
import rule406 from './persistence_suspicious_scheduled_task_runtime.json';
import rule407 from './defense_evasion_microsoft_365_exchange_dlp_policy_removed.json';
import rule408 from './lateral_movement_scheduled_task_target.json';
import rule409 from './persistence_microsoft_365_exchange_management_role_assignment.json';
import rule410 from './persistence_microsoft_365_teams_guest_access_enabled.json';
import rule411 from './credential_access_dump_registry_hives.json';
import rule412 from './defense_evasion_scheduledjobs_at_protocol_enabled.json';
import rule413 from './persistence_ms_outlook_vba_template.json';
import rule414 from './persistence_suspicious_service_created_registry.json';
import rule415 from './privilege_escalation_named_pipe_impersonation.json';
import rule416 from './credential_access_cmdline_dump_tool.json';
import rule417 from './credential_access_copy_ntds_sam_volshadowcp_cmdline.json';
import rule418 from './credential_access_lsass_memdump_file_created.json';
import rule419 from './lateral_movement_incoming_winrm_shell_execution.json';
import rule420 from './lateral_movement_powershell_remoting_target.json';
import rule421 from './command_and_control_port_forwarding_added_registry.json';
import rule422 from './defense_evasion_hide_encoded_executable_registry.json';
import rule423 from './lateral_movement_rdp_enabled_registry.json';
import rule424 from './privilege_escalation_printspooler_registry_copyfiles.json';
import rule425 from './privilege_escalation_rogue_windir_environment_var.json';
import rule426 from './initial_access_scripts_process_started_via_wmi.json';
import rule427 from './command_and_control_iexplore_via_com.json';
import rule428 from './command_and_control_remote_file_copy_scripts.json';
import rule429 from './persistence_local_scheduled_task_scripting.json';
import rule430 from './persistence_startup_folder_file_written_by_unsigned_process.json';
import rule431 from './command_and_control_remote_file_copy_powershell.json';
import rule432 from './credential_access_microsoft_365_brute_force_user_account_attempt.json';
import rule433 from './microsoft_365_teams_custom_app_interaction_allowed.json';
import rule434 from './persistence_microsoft_365_teams_external_access_enabled.json';
import rule435 from './credential_access_microsoft_365_potential_password_spraying_attack.json';
import rule436 from './impact_stop_process_service_threshold.json';
import rule437 from './collection_winrar_encryption.json';
import rule438 from './defense_evasion_unusual_dir_ads.json';
import rule439 from './discovery_admin_recon.json';
import rule440 from './discovery_file_dir_discovery.json';
import rule441 from './discovery_net_view.json';
import rule442 from './discovery_remote_system_discovery_commands_windows.json';
import rule443 from './persistence_via_windows_management_instrumentation_event_subscription.json';
import rule444 from './execution_scripting_osascript_exec_followed_by_netcon.json';
import rule445 from './execution_shell_execution_via_apple_scripting.json';
import rule446 from './persistence_creation_change_launch_agents_file.json';
import rule447 from './persistence_creation_modif_launch_deamon_sequence.json';
import rule448 from './persistence_folder_action_scripts_runtime.json';
import rule449 from './persistence_login_logout_hooks_defaults.json';
import rule450 from './privilege_escalation_explicit_creds_via_scripting.json';
import rule451 from './command_and_control_sunburst_c2_activity_detected.json';
import rule452 from './defense_evasion_azure_application_credential_modification.json';
import rule453 from './defense_evasion_azure_service_principal_addition.json';
import rule454 from './defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json';
import rule455 from './execution_apt_solarwinds_backdoor_child_cmd_powershell.json';
import rule456 from './execution_apt_solarwinds_backdoor_unusual_child_processes.json';
import rule457 from './initial_access_azure_active_directory_powershell_signin.json';
import rule458 from './collection_email_powershell_exchange_mailbox.json';
import rule459 from './execution_scheduled_task_powershell_source.json';
import rule460 from './persistence_powershell_exch_mailbox_activesync_add_device.json';
import rule461 from './persistence_docker_shortcuts_plist_modification.json';
import rule462 from './persistence_evasion_hidden_local_account_creation.json';
import rule463 from './persistence_finder_sync_plugin_pluginkit.json';
import rule464 from './discovery_security_software_grep.json';
import rule465 from './credential_access_cookies_chromium_browsers_debugging.json';
import rule466 from './credential_access_ssh_backdoor_log.json';
import rule467 from './persistence_credential_access_modify_auth_module_or_config.json';
import rule468 from './persistence_credential_access_modify_ssh_binaries.json';
import rule469 from './credential_access_collection_sensitive_files.json';
import rule470 from './persistence_ssh_authorized_keys_modification.json';
import rule471 from './defense_evasion_defender_disabled_via_registry.json';
import rule472 from './defense_evasion_privacy_controls_tcc_database_modification.json';
import rule473 from './execution_initial_access_suspicious_browser_childproc.json';
import rule474 from './execution_script_via_automator_workflows.json';
import rule475 from './persistence_modification_sublime_app_plugin_or_script.json';
import rule476 from './privilege_escalation_applescript_with_admin_privs.json';
import rule477 from './credential_access_dumping_keychain_security.json';
import rule478 from './initial_access_azure_active_directory_high_risk_signin.json';
import rule479 from './initial_access_suspicious_mac_ms_office_child_process.json';
import rule480 from './credential_access_mitm_localhost_webproxy.json';
import rule481 from './persistence_kde_autostart_modification.json';
import rule482 from './persistence_user_account_added_to_privileged_group_ad.json';
import rule483 from './defense_evasion_attempt_to_disable_gatekeeper.json';
import rule484 from './defense_evasion_sandboxed_office_app_suspicious_zip_file.json';
import rule485 from './persistence_emond_rules_file_creation.json';
import rule486 from './persistence_emond_rules_process_execution.json';
import rule487 from './discovery_users_domain_built_in_commands.json';
import rule488 from './execution_pentest_eggshell_remote_admin_tool.json';
import rule489 from './defense_evasion_install_root_certificate.json';
import rule490 from './persistence_credential_access_authorization_plugin_creation.json';
import rule491 from './persistence_directory_services_plugins_modification.json';
import rule492 from './defense_evasion_modify_environment_launchctl.json';
import rule493 from './defense_evasion_safari_config_change.json';
import rule494 from './defense_evasion_apple_softupdates_modification.json';
import rule495 from './credential_access_mod_wdigest_security_provider.json';
import rule496 from './credential_access_saved_creds_vaultcmd.json';
import rule497 from './defense_evasion_file_creation_mult_extension.json';
import rule498 from './execution_enumeration_via_wmiprvse.json';
import rule499 from './execution_suspicious_jar_child_process.json';
import rule500 from './persistence_shell_profile_modification.json';
import rule501 from './persistence_suspicious_calendar_modification.json';
import rule502 from './persistence_time_provider_mod.json';
import rule503 from './privilege_escalation_exploit_adobe_acrobat_updater.json';
import rule504 from './defense_evasion_sip_provider_mod.json';
import rule505 from './execution_com_object_xwizard.json';
import rule506 from './privilege_escalation_disable_uac_registry.json';
import rule507 from './defense_evasion_unusual_ads_file_creation.json';
import rule508 from './persistence_loginwindow_plist_modification.json';
import rule509 from './persistence_periodic_tasks_file_mdofiy.json';
import rule510 from './persistence_via_atom_init_file_modification.json';
import rule511 from './privilege_escalation_lsa_auth_package.json';
import rule512 from './privilege_escalation_port_monitor_print_pocessor_abuse.json';
import rule513 from './credential_access_dumping_hashes_bi_cmds.json';
import rule514 from './lateral_movement_mounting_smb_share.json';
import rule515 from './privilege_escalation_echo_nopasswd_sudoers.json';
import rule516 from './privilege_escalation_ld_preload_shared_object_modif.json';
import rule517 from './privilege_escalation_root_crontab_filemod.json';
import rule518 from './defense_evasion_create_mod_root_certificate.json';
import rule519 from './privilege_escalation_sudo_buffer_overflow.json';
import rule520 from './execution_installer_spawned_network_event.json';
import rule521 from './initial_access_suspicious_ms_exchange_files.json';
import rule522 from './initial_access_suspicious_ms_exchange_process.json';
import rule523 from './initial_access_suspicious_ms_exchange_worker_child_process.json';
import rule524 from './persistence_evasion_registry_startup_shell_folder_modified.json';
import rule525 from './persistence_local_scheduled_job_creation.json';
import rule526 from './persistence_via_wmi_stdregprov_run_services.json';
import rule527 from './credential_access_persistence_network_logon_provider_modification.json';
import rule528 from './lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.json';
import rule529 from './collection_microsoft_365_new_inbox_rule.json';
import rule530 from './ml_high_count_network_denies.json';
import rule531 from './ml_high_count_network_events.json';
import rule532 from './ml_rare_destination_country.json';
import rule533 from './ml_spike_in_traffic_to_a_country.json';
import rule534 from './command_and_control_tunneling_via_earthworm.json';
import rule535 from './lateral_movement_evasion_rdp_shadowing.json';
import rule536 from './threat_intel_filebeat7x.json';
import rule537 from './threat_intel_fleet_integrations.json';
import rule538 from './exfiltration_ec2_vm_export_failure.json';
import rule539 from './exfiltration_ec2_full_network_packet_capture_detected.json';
import rule540 from './impact_azure_service_principal_credentials_added.json';
import rule541 from './persistence_ec2_security_group_configuration_change_detection.json';
import rule542 from './defense_evasion_disabling_windows_logs.json';
import rule543 from './persistence_route_53_domain_transfer_lock_disabled.json';
import rule544 from './persistence_route_53_domain_transferred_to_another_account.json';
import rule545 from './initial_access_okta_user_attempted_unauthorized_access.json';
import rule546 from './credential_access_user_excessive_sso_logon_errors.json';
import rule547 from './persistence_exchange_suspicious_mailbox_right_delegation.json';
import rule548 from './privilege_escalation_new_or_modified_federation_domain.json';
import rule549 from './privilege_escalation_sts_assumerole_usage.json';
import rule550 from './privilege_escalation_sts_getsessiontoken_abuse.json';
import rule551 from './defense_evasion_suspicious_execution_from_mounted_device.json';
import rule552 from './defense_evasion_unusual_network_connection_via_dllhost.json';
import rule553 from './defense_evasion_amsienable_key_mod.json';
import rule554 from './impact_rds_group_deletion.json';
import rule555 from './persistence_rds_group_creation.json';
import rule556 from './persistence_route_table_created.json';
import rule557 from './persistence_route_table_modified_or_deleted.json';
import rule558 from './exfiltration_rds_snapshot_export.json';
import rule559 from './persistence_rds_instance_creation.json';
import rule560 from './privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.json';
import rule561 from './ml_auth_rare_hour_for_a_user_to_logon.json';
import rule562 from './ml_auth_rare_source_ip_for_a_user.json';
import rule563 from './ml_auth_rare_user_logon.json';
import rule564 from './ml_auth_spike_in_failed_logon_events.json';
import rule565 from './ml_auth_spike_in_logon_events.json';
import rule566 from './ml_auth_spike_in_logon_events_from_a_source_ip.json';
import rule567 from './privilege_escalation_cyberarkpas_error_audit_event_promotion.json';
import rule568 from './privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.json';
import rule569 from './defense_evasion_kubernetes_events_deleted.json';
import rule570 from './impact_kubernetes_pod_deleted.json';
import rule571 from './exfiltration_rds_snapshot_restored.json';
import rule572 from './privilege_escalation_printspooler_malicious_driver_file_changes.json';
import rule573 from './privilege_escalation_printspooler_malicious_registry_modification.json';
import rule574 from './privilege_escalation_printspooler_suspicious_file_deletion.json';
import rule575 from './privilege_escalation_unusual_printspooler_childprocess.json';
import rule576 from './defense_evasion_disabling_windows_defender_powershell.json';
import rule577 from './defense_evasion_enable_network_discovery_with_netsh.json';
import rule578 from './defense_evasion_execution_windefend_unusual_path.json';
import rule579 from './defense_evasion_agent_spoofing_mismatched_id.json';
import rule580 from './defense_evasion_agent_spoofing_multiple_hosts.json';
import rule581 from './defense_evasion_parent_process_pid_spoofing.json';
import rule582 from './impact_microsoft_365_potential_ransomware_activity.json';
import rule583 from './impact_microsoft_365_unusual_volume_of_file_deletion.json';
import rule584 from './initial_access_microsoft_365_user_restricted_from_sending_email.json';
import rule585 from './defense_evasion_elasticache_security_group_creation.json';
import rule586 from './defense_evasion_elasticache_security_group_modified_or_deleted.json';
import rule587 from './impact_volume_shadow_copy_deletion_via_powershell.json';
import rule588 from './persistence_route_53_hosted_zone_associated_with_a_vpc.json';
import rule589 from './defense_evasion_defender_exclusion_via_powershell.json';
import rule590 from './defense_evasion_dns_over_https_enabled.json';
import rule591 from './defense_evasion_whitespace_padding_in_command_line.json';
import rule592 from './defense_evasion_frontdoor_firewall_policy_deletion.json';
import rule593 from './credential_access_azure_full_network_packet_capture_detected.json';
import rule594 from './persistence_webshell_detection.json';
import rule595 from './impact_efs_filesystem_or_mount_deleted.json';
import rule596 from './defense_evasion_execution_control_panel_suspicious_args.json';
import rule597 from './defense_evasion_azure_blob_permissions_modified.json';
import rule598 from './privilege_escalation_aws_suspicious_saml_activity.json';
import rule599 from './credential_access_potential_lsa_memdump_via_mirrordump.json';
import rule600 from './discovery_virtual_machine_fingerprinting_grep.json';
import rule601 from './impact_backup_file_deletion.json';
import rule602 from './credential_access_posh_minidump.json';
import rule603 from './persistence_screensaver_engine_unexpected_child_process.json';
import rule604 from './persistence_screensaver_plist_file_modification.json';
import rule605 from './credential_access_suspicious_lsass_access_memdump.json';
import rule606 from './defense_evasion_suspicious_process_access_direct_syscall.json';
import rule607 from './discovery_posh_suspicious_api_functions.json';
import rule608 from './privilege_escalation_via_rogue_named_pipe.json';
import rule609 from './credential_access_suspicious_lsass_access_via_snapshot.json';
import rule610 from './defense_evasion_posh_process_injection.json';
import rule611 from './collection_posh_keylogger.json';
import rule612 from './defense_evasion_posh_assembly_load.json';
import rule613 from './defense_evasion_powershell_windows_firewall_disabled.json';
import rule614 from './execution_posh_portable_executable.json';
import rule615 from './credential_access_suspicious_comsvcs_imageload.json';
import rule616 from './impact_aws_eventbridge_rule_disabled_or_deleted.json';
import rule617 from './initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.json';
import rule618 from './persistence_remote_password_reset.json';
import rule619 from './privilege_escalation_azure_kubernetes_rolebinding_created.json';
import rule620 from './collection_posh_audio_capture.json';
import rule621 from './defense_evasion_suspicious_process_creation_calltrace.json';
import rule622 from './defense_evasion_clearing_windows_console_history.json';
import rule623 from './threat_intel_filebeat8x.json';
import rule624 from './credential_access_via_snapshot_lsass_clone_creation.json';
import rule625 from './persistence_via_bits_job_notify_command.json';
export const rawRules = [
rule1,
@ -1228,4 +1245,21 @@ export const rawRules = [
rule606,
rule607,
rule608,
rule609,
rule610,
rule611,
rule612,
rule613,
rule614,
rule615,
rule616,
rule617,
rule618,
rule619,
rule620,
rule621,
rule622,
rule623,
rule624,
rule625,
];

52
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.json Normal file
View file

@ -0,0 +1,52 @@
{
"author": [
"Austin Songer"
],
"description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics.",
"from": "now-25m",
"index": [
"filebeat-*",
"logs-azure*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Azure Active Directory High Risk User Sign-in Heuristic",
"note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:azure.signinlogs and\n azure.signinlogs.properties.risk_state:(\"confirmedCompromised\" or \"atRisk\") and event.outcome:(success or Success)\n",
"references": [
"https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema",
"https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection",
"https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk"
],
"risk_score": 47,
"rule_id": "26edba02-6979-4bce-920a-70b080a7be81",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"Azure",
"Continuous Monitoring",
"SecOps",
"Identity and Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0001",
"name": "Initial Access",
"reference": "https://attack.mitre.org/tactics/TA0001/"
},
"technique": [
{
"id": "T1078",
"name": "Valid Accounts",
"reference": "https://attack.mitre.org/techniques/T1078/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
}

53
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_remote_password_reset.json Normal file
View file

@ -0,0 +1,53 @@
{
"author": [
"Elastic"
],
"description": "Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.",
"false_positives": [
"Legitimate remote account administration."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Account Password Reset Remotely",
"query": "sequence by host.id with maxspan=5m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n not source.ip in (\"127.0.0.1\", \"::1\")] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\"] by winlog.event_data.SubjectLogonId\n",
"references": [
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724",
"https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/",
"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx"
],
"risk_score": 47,
"rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Persistence"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0003",
"name": "Persistence",
"reference": "https://attack.mitre.org/tactics/TA0003/"
},
"technique": [
{
"id": "T1098",
"name": "Account Manipulation",
"reference": "https://attack.mitre.org/techniques/T1098/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_com_hijack_registry.json
View file

@ -12,7 +12,7 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Component Object Model Hijacking",
"query": "registry where\n /* uncomment once length is stable length(bytes_written_string) > 0 and */\n (registry.path : \"HK*}\\\\InprocServer32\\\\\" and registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") \n or\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\"HKEY_USERS\\\\*Classes\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*Classes\\\\*\\\\LocalServer32\\\\\", \n \"HKEY_USERS\\\\*Classes\\\\*\\\\DelegateExecute\\\\\", \n \"HKEY_USERS\\\\*Classes\\\\*\\\\TreatAs\\\\\", \n \"HKEY_USERS\\\\*Classes\\\\CLSID\\\\*\\\\ScriptletURL\\\\\") and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\")\n",
"query": "registry where\n /* uncomment once length is stable length(bytes_written_string) > 0 and */\n (registry.path : \"HK*}\\\\InprocServer32\\\\\" and registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") \n or\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\"HKEY_USERS\\\\*Classes\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*Classes\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*Classes\\\\*\\\\DelegateExecute\\\\\", \n \"HKEY_USERS\\\\*Classes\\\\*\\\\TreatAs\\\\\", \n \"HKEY_USERS\\\\*Classes\\\\CLSID\\\\*\\\\ScriptletURL\\\\\") and\n not (process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : \"HKEY_USERS\\\\S-1-5-21-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\") and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\")\n",
"references": [
"https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"
],
@ -52,5 +52,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 4
"version": 5
}

45
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_azure_kubernetes_rolebinding_created.json Normal file
View file

@ -0,0 +1,45 @@
{
"author": [
"Austin Songer"
],
"description": "Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.",
"from": "now-20m",
"index": [
"filebeat-*",
"logs-azure*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Azure Kubernetes Rolebindings Created",
"note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n\t(\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE\" or\n\t \"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE\") and \nevent.outcome:(Success or success)\n",
"references": [
"https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/"
],
"risk_score": 21,
"rule_id": "1c966416-60c1-436b-bfd0-e002fddbfd89",
"severity": "low",
"tags": [
"Elastic",
"Cloud",
"Azure",
"Continuous Monitoring",
"SecOps",
"Identity and Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": []
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
}

51
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_via_rogue_named_pipe.json Normal file
View file

@ -0,0 +1,51 @@
{
"author": [
"Elastic"
],
"description": "Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Privilege Escalation via Rogue Named Pipe Impersonation",
"note": "## Config\n\nNamed Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n",
"query": "file where event.action : \"Pipe Created*\" and\n /* normal sysmon named pipe creation events truncate the pipe keyword */\n file.name : \"\\\\*\\\\Pipe\\\\*\"\n",
"references": [
"https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/",
"https://github.com/zcgonvh/EfsPotato",
"https://twitter.com/SBousseaden/status/1429530155291193354"
],
"risk_score": 73,
"rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Privilege Escalation"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1134",
"name": "Access Token Manipulation",
"reference": "https://attack.mitre.org/techniques/T1134/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_module_match.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_filebeat7x.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "This rule is triggered when indicators from the Threat Intel Filebeat module has a match against local file or network observations.",
"description": "This rule is triggered when indicators from the Threat Intel Filebeat module (v7.x) has a match against local file or network observations.",
"from": "now-65m",
"index": [
"auditbeat-*",
@ -15,7 +15,7 @@
"interval": "1h",
"language": "kuery",
"license": "Elastic License v2",
"name": "Threat Intel Filebeat Module Indicator Match",
"name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
"note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file\nhash with an entry of a file hash stored within the Threat Intel Filebeat module. Other examples of matches can occur on\nan IP address, registry path, URL and imphash.\n\nThe matches will be based on the incoming feed data so it's important to validate the data and review the results by\ninvestigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threatintel.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threatintel.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threatintel.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps:\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched\nand viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?\nThese kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company, is this something related to their job or work function?\n\n### False Positive Analysis\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can\nbe a great tool for augmenting existing security processes, while at the same time it should be understood that threat\nintelligence can represent a specific set of activity observed at a point in time. For example, an IP address\nmay have hosted malware observed in a Dridex campaign six months ago, but it's possible that IP has been remediated and\nno longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their\nway into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and generating these rules\n\n### Response and Remediation\n- If suspicious or malicious behavior is observed, immediate response should be taken to isolate activity to prevent further\npost-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network\ndevice such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined,\nreview current running processes looking for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement\n",
"query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n",
"references": [
@ -114,7 +114,7 @@
"threat_index": [
"filebeat-*"
],
"threat_indicator_path": "",
"threat_indicator_path": "threatintel.indicator",
"threat_language": "kuery",
"threat_mapping": [
{
@ -194,5 +194,5 @@
"timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e",
"timeline_title": "Generic Threat Match Timeline",
"type": "threat_match",
"version": 3
"version": 4
}

198
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_filebeat8x.json Normal file
View file

@ -0,0 +1,198 @@
{
"author": [
"Elastic"
],
"description": "This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or network observations.",
"from": "now-65m",
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*"
],
"interval": "1h",
"language": "kuery",
"license": "Elastic License v2",
"name": "Threat Intel Filebeat Module (v8.x) Indicator Match",
"note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file\nhash with an entry of a file hash stored within the Threat Intel integrations. Other examples of matches can occur on\nan IP address, registry path, URL and imphash.\n\nThe matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by\ninvestigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps:\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched\nand viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?\nThese kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company, is this something related to their job or work function?\n\n### False Positive Analysis\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can\nbe a great tool for augmenting existing security processes, while at the same time it should be understood that threat\nintelligence can represent a specific set of activity observed at a point in time. For example, an IP address\nmay have hosted malware observed in a Dridex campaign month ago, but it's possible that IP has been remediated and\nno longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their\nway into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and generating these rules\n\n### Response and Remediation\n- If suspicious or malicious behavior is observed, immediate response should be taken to isolate activity to prevent further\npost-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network\ndevice such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined,\nreview current running processes looking for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement\n",
"query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n",
"references": [
"https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"
],
"risk_score": 99,
"rule_id": "699e9fdb-b77c-4c01-995c-1c15019b9c43",
"severity": "critical",
"tags": [
"Elastic",
"Windows",
"Elastic Endgame",
"Network",
"Continuous Monitoring",
"SecOps",
"Monitoring"
],
"threat_filters": [
{
"$state": {
"store": "appState"
},
"meta": {
"disabled": false,
"key": "event.dataset",
"negate": false,
"params": {
"query": "ti_*"
},
"type": "phrase"
},
"query": {
"match_phrase": {
"event.dataset": "ti_*"
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"disabled": false,
"key": "event.category",
"negate": false,
"params": {
"query": "threat"
},
"type": "phrase"
},
"query": {
"match_phrase": {
"event.category": "threat"
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"disabled": false,
"key": "event.kind",
"negate": false,
"params": {
"query": "enrichment"
},
"type": "phrase"
},
"query": {
"match_phrase": {
"event.kind": "enrichment"
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"disabled": false,
"key": "event.type",
"negate": false,
"params": {
"query": "indicator"
},
"type": "phrase"
},
"query": {
"match_phrase": {
"event.type": "indicator"
}
}
}
],
"threat_index": [
"filebeat-8*"
],
"threat_indicator_path": "threat.indicator",
"threat_language": "kuery",
"threat_mapping": [
{
"entries": [
{
"field": "file.hash.md5",
"type": "mapping",
"value": "threat.indicator.file.hash.md5"
}
]
},
{
"entries": [
{
"field": "file.hash.sha1",
"type": "mapping",
"value": "threat.indicator.file.hash.sha1"
}
]
},
{
"entries": [
{
"field": "file.hash.sha256",
"type": "mapping",
"value": "threat.indicator.file.hash.sha256"
}
]
},
{
"entries": [
{
"field": "file.pe.imphash",
"type": "mapping",
"value": "threat.indicator.file.pe.imphash"
}
]
},
{
"entries": [
{
"field": "source.ip",
"type": "mapping",
"value": "threat.indicator.ip"
}
]
},
{
"entries": [
{
"field": "destination.ip",
"type": "mapping",
"value": "threat.indicator.ip"
}
]
},
{
"entries": [
{
"field": "url.full",
"type": "mapping",
"value": "threat.indicator.url.full"
}
]
},
{
"entries": [
{
"field": "registry.path",
"type": "mapping",
"value": "threat.indicator.registry.path"
}
]
}
],
"threat_query": "@timestamp >= \"now-30d\" and event.dataset:ti_* and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)",
"timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e",
"timeline_title": "Generic Threat Match Timeline",
"type": "threat_match",
"version": 1
}

198
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_fleet_integrations.json Normal file
View file

@ -0,0 +1,198 @@
{
"author": [
"Elastic"
],
"description": "This rule is triggered when indicators from the Threat Intel integrations has a match against local file or network observations.",
"from": "now-65m",
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*"
],
"interval": "1h",
"language": "kuery",
"license": "Elastic License v2",
"name": "Threat Intel Indicator Match",
"note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file\nhash with an entry of a file hash stored within the Threat Intel integrations. Other examples of matches can occur on\nan IP address, registry path, URL and imphash.\n\nThe matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by\ninvestigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps:\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched\nand viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?\nThese kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company, is this something related to their job or work function?\n\n### False Positive Analysis\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can\nbe a great tool for augmenting existing security processes, while at the same time it should be understood that threat\nintelligence can represent a specific set of activity observed at a point in time. For example, an IP address\nmay have hosted malware observed in a Dridex campaign month ago, but it's possible that IP has been remediated and\nno longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their\nway into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and generating these rules\n\n### Response and Remediation\n- If suspicious or malicious behavior is observed, immediate response should be taken to isolate activity to prevent further\npost-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network\ndevice such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined,\nreview current running processes looking for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement\n",
"query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n",
"references": [
"https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"
],
"risk_score": 99,
"rule_id": "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0",
"severity": "critical",
"tags": [
"Elastic",
"Windows",
"Elastic Endgame",
"Network",
"Continuous Monitoring",
"SecOps",
"Monitoring"
],
"threat_filters": [
{
"$state": {
"store": "appState"
},
"meta": {
"disabled": false,
"key": "event.dataset",
"negate": false,
"params": {
"query": "ti_*"
},
"type": "phrase"
},
"query": {
"match_phrase": {
"event.dataset": "ti_*"
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"disabled": false,
"key": "event.category",
"negate": false,
"params": {
"query": "threat"
},
"type": "phrase"
},
"query": {
"match_phrase": {
"event.category": "threat"
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"disabled": false,
"key": "event.kind",
"negate": false,
"params": {
"query": "enrichment"
},
"type": "phrase"
},
"query": {
"match_phrase": {
"event.kind": "enrichment"
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"disabled": false,
"key": "event.type",
"negate": false,
"params": {
"query": "indicator"
},
"type": "phrase"
},
"query": {
"match_phrase": {
"event.type": "indicator"
}
}
}
],
"threat_index": [
"logs-ti_*"
],
"threat_indicator_path": "threat.indicator",
"threat_language": "kuery",
"threat_mapping": [
{
"entries": [
{
"field": "file.hash.md5",
"type": "mapping",
"value": "threat.indicator.file.hash.md5"
}
]
},
{
"entries": [
{
"field": "file.hash.sha1",
"type": "mapping",
"value": "threat.indicator.file.hash.sha1"
}
]
},
{
"entries": [
{
"field": "file.hash.sha256",
"type": "mapping",
"value": "threat.indicator.file.hash.sha256"
}
]
},
{
"entries": [
{
"field": "file.pe.imphash",
"type": "mapping",
"value": "threat.indicator.file.pe.imphash"
}
]
},
{
"entries": [
{
"field": "source.ip",
"type": "mapping",
"value": "threat.indicator.ip"
}
]
},
{
"entries": [
{
"field": "destination.ip",
"type": "mapping",
"value": "threat.indicator.ip"
}
]
},
{
"entries": [
{
"field": "url.full",
"type": "mapping",
"value": "threat.indicator.url.full"
}
]
},
{
"entries": [
{
"field": "registry.path",
"type": "mapping",
"value": "threat.indicator.registry.path"
}
]
}
],
"threat_query": "@timestamp >= \"now-30d\" and event.dataset:ti_* and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)",
"timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e",
"timeline_title": "Generic Threat Match Timeline",
"type": "threat_match",
"version": 1
}