diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index 98119798f67..2c657684d42 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -2,9 +2,9 @@ # NOTE: please use pre-release versions (e.g. -dev.0) until a package is ready for production - changes: - description: Release security rules update - link: https://github.com/elastic/integrations/pull/4377 + link: https://github.com/elastic/integrations/pull/4740 type: enhancement - version: 8.3.2 + version: 8.4.1 - changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/4063 @@ -89,10 +89,12 @@ - description: Fix package for 7.13.0 from detection-rules link: https://github.com/elastic/integrations/pull/1127 type: bugfix + version: 0.13.0 +- changes: - description: Publish package for 7.13.0 from detection-rules link: https://github.com/elastic/integrations/pull/1126 type: enhancement - version: 0.13.0 + version: 0.13.0-dev.0 - changes: - description: Fix security rules naming link: https://github.com/elastic/integrations/pull/987 diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json index d3905ad8742..850e0664fb3 100644 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json +++ b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json @@ -19,7 +19,8 @@ "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -78,7 +79,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3.json index 69ff3bb7cf0..3fc8a226c8b 100644 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3.json +++ b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -60,7 +61,8 @@ "Windows", "Threat Detection", "Credential Access", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -93,7 +95,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "00140285-b827-4aee-aa09-8113f58a08f3", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json index 62a27a22ddb..581a4672894 100644 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json +++ b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json @@ -47,7 +47,7 @@ "Windows", "Threat Detection", "Persistence", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -75,7 +75,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb.json b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb.json new file mode 100644 index 00000000000..285337ca5bc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Created with an Elevated Token", + "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where event.action == \"start\" and\n\n /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */\n user.id : \"S-1-5-18\" and\n\n /* Token Theft target process usually running as service are located in one of the following paths */\n process.Ext.effective_parent.executable :\n (\"?:\\\\Windows\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*\") and\n\n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and process.parent.args : \"/debug\") and\n\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\windows\\\\system32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n not process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\AtBroker.exe\", \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\", \"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\System32\\\\DriverStore\\\\*\") and\n\n\n not (process.code_signature.trusted == true and\n process.code_signature.subject_name in (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\", \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\"))\n", + "references": [ + "https://lengjibo.github.io/token/", + "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.effective_parent.executable", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48.json index 28a84cf8738..15e2cbb4615 100644 --- a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48.json +++ b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48.json @@ -48,7 +48,8 @@ "Host", "Windows", "Threat Detection", - "Credential Access" + "Credential Access", + "Sysmon Only" ], "threat": [ { @@ -76,7 +77,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "02a4576a-7480-4284-9327-548a806b5e48", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c.json index 4785ee3a5d9..48f2cbbc29c 100644 --- a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c.json +++ b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c.json @@ -15,6 +15,9 @@ "name": "High Number of Process and/or Service Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated\nwith business applications and databases to release the lock on files used by these applications so they may be encrypted,\nor stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same\nhost within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look\nfor ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "event.category:process and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")\n", + "references": [ + "https://www.elastic.co/security-labs/luna-ransomware-attack-pattern" + ], "required_fields": [ { "ecs": true, @@ -46,7 +49,7 @@ "Windows", "Threat Detection", "Impact", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -72,7 +75,7 @@ "value": 10 }, "type": "threshold", - "version": 101 + "version": 102 }, "id": "035889c4-2686-4583-a7df-67f89c292f2c", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08.json index 5963ea609b3..27624a56939 100644 --- a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08.json +++ b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08.json @@ -12,7 +12,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -53,7 +54,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -81,7 +83,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343.json index 99f4c1e0c7e..1a3dc3621c0 100644 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343.json +++ b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -50,7 +51,8 @@ "Host", "Windows", "Threat Detection", - "Credential Access" + "Credential Access", + "Elastic Endgame" ], "threat": [ { @@ -71,7 +73,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "0564fb9d-90b9-4234-a411-82a546dc1343", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b.json index 05f52c40d39..72ab39a8930 100644 --- a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b.json +++ b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -50,7 +51,8 @@ "Windows", "Threat Detection", "Execution", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -71,7 +73,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a.json index 95a874aa23b..07f28c7ba1f 100644 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a.json +++ b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a.json @@ -8,7 +8,8 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -42,7 +43,8 @@ "Windows", "Threat Detection", "Discovery", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -68,7 +70,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "0635c542-1b96-4335-9b47-126582d2c19a", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json index b651f8732e9..4f9e3ac4bae 100644 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json +++ b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -41,7 +42,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -69,7 +71,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7.json index 2f08c96d1fb..ee84ac72299 100644 --- a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7.json +++ b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -47,7 +48,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -75,7 +77,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "074464f9-f30d-4029-8c03-0ed237fffec7", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076.json new file mode 100644 index 00000000000..b6ee6f1b1ce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Local Account TokenFilter Policy Disabled", + "query": "registry where registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", + "references": [ + "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", + "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" + ], + "required_fields": [ + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d.json index 8b442b7396b..d671a651e1d 100644 --- a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d.json +++ b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d.json @@ -6,12 +6,13 @@ "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", "from": "now-9m", "index": [ - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", - "query": "sequence by host.id with maxspan=5s\n [process where event.type == \"end\" and\n process.code_signature.trusted == false and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", + "query": "sequence by host.id with maxspan=5s\n [process where event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", "required_fields": [ { "ecs": true, @@ -52,7 +53,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -79,7 +81,7 @@ } ], "type": "eql", - "version": 100 + "version": 101 }, "id": "09443c92-46b3-45a4-8f25-383b028b258d", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289.json index 5080ff194a2..157eaef4bad 100644 --- a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289.json +++ b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289.json @@ -55,7 +55,7 @@ "Threat Detection", "Credential Access", "Active Directory", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -83,7 +83,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json index 31bf0ddd8ee..1b3b2f668f5 100644 --- a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json +++ b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -47,7 +48,8 @@ "Windows", "Threat Detection", "Discovery", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -68,7 +70,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0.json b/packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0.json index 716df4c7af8..aefe70da346 100644 --- a/packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0.json +++ b/packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0.json @@ -65,7 +65,7 @@ "Continuous Monitoring", "SecOps", "Monitoring", - "has_guide" + "Investigation Guide" ], "threat_filters": [ { @@ -228,7 +228,7 @@ "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", - "version": 101 + "version": 102 }, "id": "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json index 71b98f024ee..412776f9fdd 100644 --- a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json +++ b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json @@ -8,7 +8,8 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "interval": "60m", "language": "eql", @@ -57,7 +58,8 @@ "Windows", "Threat Detection", "Execution", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -98,7 +100,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json b/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json index 5a7c095fc59..2c150ddb036 100644 --- a/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json +++ b/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json @@ -24,7 +24,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -75,7 +75,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283.json index 35275f0f2ef..4daadc10f0f 100644 --- a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283.json +++ b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283.json @@ -44,7 +44,8 @@ "Host", "Windows", "Threat Detection", - "Credential Access" + "Credential Access", + "Sysmon Only" ], "threat": [ { @@ -84,7 +85,7 @@ }, "timestamp_override": "event.ingested", "type": "threshold", - "version": 100 + "version": 101 }, "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475.json b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475.json index d4ed9c00a24..1dd58f327e6 100644 --- a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475.json +++ b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475.json @@ -19,7 +19,8 @@ "references": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", - "https://github.com/maxpl0it/CVE-2020-1350-DoS" + "https://github.com/maxpl0it/CVE-2020-1350-DoS", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" ], "required_fields": [ { @@ -61,7 +62,7 @@ "Network", "Threat Detection", "Lateral Movement", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -82,7 +83,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "11013227-0301-4a8c-b150-4db924484475", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd.json index 139218a9a1f..444c05e43c0 100644 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd.json +++ b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -46,7 +47,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -67,7 +69,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json index 135730d69ca..400dc52a83e 100644 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json +++ b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels)\nto perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nUAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the\nlocal administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC)\nWindows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- If any of the spawned processes are suspicious, retrieve them and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels)\nto perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nUAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the\nlocal administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC)\nWindows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": [ "https://github.com/AzAgarampur/byeintegrity-uac" @@ -50,7 +50,7 @@ "Windows", "Threat Detection", "Privilege Escalation", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -78,7 +78,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9.json index b42d9da385b..fa36f0e4e3e 100644 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9.json +++ b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9.json @@ -11,7 +11,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -48,7 +49,8 @@ "Windows", "Threat Detection", "Impact", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -69,7 +71,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b.json b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b.json index 83fca034c1c..3cf2c40c64f 100644 --- a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b.json +++ b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b.json @@ -14,13 +14,29 @@ "license": "Elastic License v2", "name": "Kubernetes Suspicious Self-Subject Review", "note": "", - "query": "kubernetes.audit.verb:\"create\"\nand kubernetes.audit.objectRef.resource:(\"selfsubjectaccessreviews\" or \"selfsubjectrulesreviews\")\nand kubernetes.audit.user.username:(system\\:serviceaccount\\:* or system\\:node\\:*) or kubernetes.audit.impersonatedUser.username:(system\\:serviceaccount\\:* or system\\:node\\:*)\n", + "query": "event.dataset : \"kubernetes.audit_logs\" \n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:(\"selfsubjectaccessreviews\" or \"selfsubjectrulesreviews\")\n and (kubernetes.audit.user.username:(system\\:serviceaccount\\:* or system\\:node\\:*) \n or kubernetes.audit.impersonatedUser.username:(system\\:serviceaccount\\:* or system\\:node\\:*))\n", "references": [ "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms", "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340" ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, { "ecs": false, "name": "kubernetes.audit.impersonatedUser.username", @@ -71,7 +87,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 100 + "version": 200 }, "id": "12a2f15d-597e-4334-88ff-38a02cb1330b", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e.json b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e.json index 8b662aa5462..f573f027b62 100644 --- a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e.json +++ b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e.json @@ -5,7 +5,7 @@ ], "description": "This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace.", "false_positives": [ - "An administrator or developer may want to use a pod that runs as root and shares the host\ufffds IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective." + "An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" ], "index": [ "logs-kubernetes.*" @@ -14,18 +14,39 @@ "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostNetwork", "note": "", - "query": "kubernetes.audit.objectRef.resource:\"pods\" and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\") and kubernetes.audit.requestObject.spec.hostNetwork:true\n", + "query": "event.dataset : \"kubernetes.audit_logs\" \n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\" \n and kubernetes.audit.objectRef.resource:\"pods\" \n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\") \n and kubernetes.audit.requestObject.spec.hostNetwork:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": [ "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, { "ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown" }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, { "ecs": false, "name": "kubernetes.audit.requestObject.spec.hostNetwork", @@ -63,11 +84,26 @@ "reference": "https://attack.mitre.org/techniques/T1611/" } ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] } ], "timestamp_override": "event.ingested", "type": "query", - "version": 100 + "version": 200 }, "id": "12cbf709-69e8-4055-94f9-24314385c27e", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a.json index 29ab6c89442..d220c027c2e 100644 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a.json +++ b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a.json @@ -8,7 +8,8 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -46,7 +47,8 @@ "Host", "Windows", "Threat Detection", - "Execution" + "Execution", + "Elastic Endgame" ], "threat": [ { @@ -67,7 +69,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce.json index f76ef1a8165..f7a6df5c9ef 100644 --- a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce.json +++ b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce.json @@ -14,12 +14,28 @@ "license": "Elastic License v2", "name": "Kubernetes User Exec into Pod", "note": "", - "query": "kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.objectRef.subresource:\"exec\"\n", + "query": "event.dataset : \"kubernetes.audit_logs\" \n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\" \n and kubernetes.audit.verb:\"create\" \n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.objectRef.subresource:\"exec\"\n", "references": [ "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/" ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, { "ecs": false, "name": "kubernetes.audit.objectRef.resource", @@ -29,6 +45,11 @@ "ecs": false, "name": "kubernetes.audit.objectRef.subresource", "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" } ], "risk_score": 47, @@ -60,7 +81,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 100 + "version": 200 }, "id": "14de811c-d60f-11ec-9fd7-f661ea17fbce", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e.json index c458fdc706e..0d54866749a 100644 --- a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e.json +++ b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e.json @@ -68,7 +68,7 @@ "Threat Detection", "Privilege Escalation", "Active Directory", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -108,7 +108,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "15a8ba77-1c13-4274-88fe-6bd14133861e", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899.json index e2391c35534..0f951e7ad82 100644 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899.json +++ b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899.json @@ -8,12 +8,13 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the\n`lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file\nfrom an internal system.\n- Retrieve the file and determine if it is malicious:\n - Identify the file type.\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions\nif necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the\n`lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file\nfrom an internal system.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions\nif necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": [ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" @@ -50,7 +51,8 @@ "Windows", "Threat Detection", "Command and Control", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -71,7 +73,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c.json index 7b8dfbdf716..bf98f4e1439 100644 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c.json +++ b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "name": "Component Object Model Hijacking", "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", - "query": "registry where\n (registry.path : \"HK*}\\\\InprocServer32\\\\\" and registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\")\n or\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\"HKEY_USERS\\\\*Classes\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*Classes\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*Classes\\\\*\\\\DelegateExecute\\\\\",\n \"HKEY_USERS\\\\*Classes\\\\*\\\\TreatAs\\\\\",\n \"HKEY_USERS\\\\*Classes\\\\CLSID\\\\*\\\\ScriptletURL\\\\\") and\n not (process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : \"HKEY_USERS\\\\S-1-5-21-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\") and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\"\n ) and\n /* removes false-positives generated by OneDrive and Teams */\n not process.name : (\"OneDrive.exe\",\"OneDriveSetup.exe\",\"FileSyncConfig.exe\",\"Teams.exe\") and\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and\n registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", + "query": "registry where\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n\n(\n (registry.path : \"HK*\\\\InprocServer32\\\\\" and registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\"HKEY_USERS\\\\*\\\\InprocServer32\\\\*\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\*\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute\\\\*\",\n \"HKEY_USERS\\\\*\\\\TreatAs\\\\*\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL\\\\*\") and\n not (process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\")) or\n\n (registry.path : \"HKLM\\\\*\\\\InProcServer32\\\\*\" and registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\"))\n\n) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not process.name : (\"OneDrive.exe\",\"OneDriveSetup.exe\",\"FileSyncConfig.exe\",\"Teams.exe\") and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", "references": [ "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" ], @@ -53,7 +53,7 @@ "Windows", "Threat Detection", "Persistence", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -81,7 +81,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "16a52c14-7883-47af-8745-9357803f0d4c", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046.json index ebd17afdea0..dd41b1b77e5 100644 --- a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046.json +++ b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046.json @@ -69,7 +69,7 @@ "Threat Detection", "Privilege Escalation", "Active Directory", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -102,7 +102,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "16fac1a1-21ee-4ca6-b720-458e3855d046", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6.json index 130dfbd53bc..c276fb8993e 100644 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6.json +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6.json @@ -16,7 +16,8 @@ ], "name": "Suspicious Powershell Script", "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" ], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", @@ -54,7 +55,7 @@ } ], "type": "machine_learning", - "version": 100 + "version": 101 }, "id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json index 2c5bdcb3300..6236c785299 100644 --- a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json +++ b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -46,7 +47,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -74,7 +76,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61.json b/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61.json index 060e0113096..4f6fed3847a 100644 --- a/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61.json +++ b/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61.json @@ -23,7 +23,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -74,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "184dfe52-2999-42d9-b9d1-d1ca54495a61", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff.json b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff.json index 8ec3983fee3..aa27ed3d7cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff.json +++ b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff.json @@ -27,10 +27,10 @@ "Cloud", "AWS", "ML", - "has_guide" + "Investigation Guide" ], "type": "machine_learning", - "version": 101 + "version": 102 }, "id": "19de8096-e2b0-4bd8-80c9-34a820813fff", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570.json index c6fc824e7f6..76dd9b422b3 100644 --- a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570.json +++ b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -50,7 +51,8 @@ "Host", "Windows", "Threat Detection", - "Execution" + "Execution", + "Elastic Endgame" ], "threat": [ { @@ -78,7 +80,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json index 605e74abd5b..39e5b79cff7 100644 --- a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json +++ b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json @@ -62,7 +62,7 @@ "Continuous Monitoring", "SecOps", "Log Auditing", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -90,7 +90,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b.json index d9449f6dd0d..1320c2880de 100644 --- a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b.json +++ b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "User Account Creation", - "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before\ninvestigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before\ninvestigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", "required_fields": [ { @@ -47,7 +47,7 @@ "Windows", "Threat Detection", "Persistence", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -75,7 +75,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json index 020b96accd6..043a1d4de66 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json +++ b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json @@ -72,7 +72,7 @@ "Continuous Monitoring", "SecOps", "Identity and Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -115,7 +115,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042.json index d18a3524da2..628743c61a7 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042.json +++ b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation in /etc for Persistence", - "query": "file where event.action == \"creation\" and user.name == \"root\" and file.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\") and not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/systemd\")\n", + "query": "file where event.action == \"creation\" and user.name == \"root\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\")\nand not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/systemd\", \"*/snapd\", \"*/dnf-automatic\",\n \"*/yum-cron\", \"*/elastic-agent\", \"*/dnfdaemon-system\")\n", "references": [ "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" @@ -144,7 +144,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f.json index 95c1b2a8d6c..2310bcea253 100644 --- a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f.json +++ b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Script Interpreter", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs,\nsuch as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but\ncan also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the script file and the executable involved and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Manually analyze the script to determine if malicious capabilities are present.\n- Investigate whether the potential malware ran successfully, is active on the host, or was stopped by defenses.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives\n(B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs,\nsuch as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but\ncan also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives\n(B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id\n [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", "required_fields": [ { @@ -71,7 +71,7 @@ "Windows", "Threat Detection", "Command and Control", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -91,7 +91,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "1d276579-3380-4095-ad38-e596a01bc64f", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511.json b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511.json index c4cf547f3a0..3e191dd04e5 100644 --- a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511.json +++ b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511.json @@ -61,7 +61,7 @@ "Windows", "Threat Detection", "Discovery", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -94,7 +94,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "1d72d014-e2ab-4707-b056-9b96abe7b511", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b.json b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b.json index dc79b700812..4e2a97056cc 100644 --- a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b.json +++ b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b.json @@ -8,7 +8,8 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "interval": "60m", "language": "eql", @@ -62,7 +63,8 @@ "Windows", "Threat Detection", "Execution", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -103,7 +105,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "1defdd62-cd8d-426e-a246-81a37751bb2b", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c.json index 647d4701f39..0889dc979c3 100644 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c.json +++ b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -41,7 +42,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -69,7 +71,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "201200f1-a99b-43fb-88ed-f65a45c4972c", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4.json index 5d59a3a9f8f..df7850b97e5 100644 --- a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4.json +++ b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4.json @@ -11,13 +11,14 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Root Certificate", "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and\nlegitimate. This verification is based upon the identification of a certification authority. Windows\nadds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The\ninstallation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid\nsigned components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file\nmodifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting\nSSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", - "query": "registry where event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\")\n", + "query": "registry where event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\")\n", "references": [ "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate" @@ -49,7 +50,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -77,7 +79,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de.json index 99d6f78eb91..aab6a620018 100644 --- a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de.json +++ b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de.json @@ -12,14 +12,15 @@ "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Handle Access", - "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible\nfor enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles\npassword changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on,the system\ngenerates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single\nsign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be\nharvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using\n[alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment,\nconsider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on\nthe correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible\nfor enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles\npassword changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on,the system\ngenerates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single\nsign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be\nharvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using\n[alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment,\nconsider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on\nthe correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "any where event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\")\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", "https://attack.mitre.org/techniques/T1003/001/", "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", - "http://findingbad.blogspot.com/2017/" + "http://findingbad.blogspot.com/2017/", + "https://www.elastic.co/security-labs/detect-credential-access" ], "required_fields": [ { @@ -63,7 +64,7 @@ "Windows", "Threat Detection", "Credential Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -91,7 +92,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "208dbe77-01ed-4954-8d44-1e5751cb20de", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b.json b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b.json index 9434f7fad27..c6938913e2e 100644 --- a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b.json +++ b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "SUNBURST Command and Control Activity", - "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called\nSolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party\nservers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct\nthe backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services.\nThe malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion\nImprovement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The\nbackdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and\nanti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity\nby imitating the Orion Improvement Program (OIP) protocol behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the executable involved:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate whether the potential malware ran successfully, is active on the host, or was stopped by defenses.\n- Investigate the network traffic.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive\n(B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called\nSolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party\nservers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct\nthe backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services.\nThe malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion\nImprovement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The\nbackdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and\nanti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity\nby imitating the Orion Improvement Program (OIP) protocol behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive\n(B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "network where event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (\n (\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\"))\n ) and\n not http.request.body.content : \"*solarwinds.com*\"\n )\n", "references": [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" @@ -47,7 +47,7 @@ "Windows", "Threat Detection", "Command and Control", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -97,7 +97,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "22599847-5d13-48cb-8872-5796fee8692b", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/231876e7-4d1f-4d63-a47c-47dd1acdc1cb.json b/packages/security_detection_engine/kibana/security_rule/231876e7-4d1f-4d63-a47c-47dd1acdc1cb.json index 0650fff8d10..d0e2e6ce05b 100644 --- a/packages/security_detection_engine/kibana/security_rule/231876e7-4d1f-4d63-a47c-47dd1acdc1cb.json +++ b/packages/security_detection_engine/kibana/security_rule/231876e7-4d1f-4d63-a47c-47dd1acdc1cb.json @@ -18,7 +18,8 @@ "note": "## Triage and analysis\n\n### Investigating Potential Shell via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web\nscript that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a\nnetwork. A web shell may provide a set of functions to execute or a command line interface on the system that hosts the\nweb server.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating\nattackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, file modifications, and\nany other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently\nmalicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "event.category:process and event.type:(start or process_started) and\nprocess.name:(bash or dash or ash or zsh or \"python*\" or \"perl*\" or \"php*\") and\nprocess.parent.name:(\"apache\" or \"nginx\" or \"www\" or \"apache2\" or \"httpd\" or \"www-data\")\n", "references": [ - "https://pentestlab.blog/tag/web-shell/" + "https://pentestlab.blog/tag/web-shell/", + "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965" ], "required_fields": [ { @@ -50,7 +51,8 @@ "Host", "Linux", "Threat Detection", - "Persistence" + "Persistence", + "Investigation Guide" ], "threat": [ { @@ -78,7 +80,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d.json b/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d.json index a4a2be3ccde..cea9f05b756 100644 --- a/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d.json +++ b/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d.json @@ -23,7 +23,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -74,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2.json index ca621a06cc0..5f770d04069 100644 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2.json +++ b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", - "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are\nalready downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local\nsystem) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server\nCore products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters.\nAttackers can leverage this technique to elevate privileges or maintain persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are\nalready downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local\nsystem) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server\nCore products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters.\nAttackers can leverage this technique to elevate privileges or maintain persistence.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": [ "https://github.com/irsl/CVE-2020-1313" @@ -55,7 +55,8 @@ "Windows", "Threat Detection", "Persistence", - "CVE-2020-1313" + "CVE-2020-1313", + "Investigation Guide" ], "threat": [ { @@ -83,7 +84,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "265db8f5-fc73-4d0d-b434-6483b56372e2", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b.json b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b.json new file mode 100644 index 00000000000..5e014b0ebe0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privileges Elevation via Parent Process PID Spoofing", + "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid \u003e 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true)\n", + "references": [ + "https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6", + "https://blog.didierstevens.com/2017/03/20/", + "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.parent.Ext.real.pid", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "26b01043-4f04-4d2f-882a-5a1d2e95751b", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + }, + { + "id": "T1134.004", + "name": "Parent PID Spoofing", + "reference": "https://attack.mitre.org/techniques/T1134/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "26b01043-4f04-4d2f-882a-5a1d2e95751b", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81.json b/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81.json index 2fd163a9b7c..3f4e23e74be 100644 --- a/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81.json +++ b/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81.json @@ -54,7 +54,7 @@ "Continuous Monitoring", "SecOps", "Identity and Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -75,7 +75,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "26edba02-6979-4bce-920a-70b080a7be81", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b.json b/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b.json index bdf2f735879..aa48d799d86 100644 --- a/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b.json +++ b/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b.json @@ -24,7 +24,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -70,7 +70,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "2783d84f-5091-4d7d-9319-9fceda8fa71b", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450.json index 3ceb211484e..bac8326b880 100644 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450.json +++ b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450.json @@ -15,11 +15,12 @@ "language": "eql", "license": "Elastic License v2", "name": "Account Password Reset Remotely", - "query": "sequence by host.id with maxspan=5m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : \"S-1-5-21-*-500\"\n )\n ] by winlog.event_data.SubjectLogonId\n", + "query": "sequence by host.id with maxspan=5m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx" + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", + "https://www.elastic.co/security-labs/detect-credential-access" ], "required_fields": [ { @@ -96,7 +97,7 @@ } ], "type": "eql", - "version": 100 + "version": 101 }, "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed.json index 31b8281d3c7..acbee69474a 100644 --- a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed.json +++ b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed.json @@ -52,7 +52,7 @@ "Windows", "Threat Detection", "Discovery", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -73,7 +73,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51.json index f9e4094919d..88ca5974441 100644 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51.json +++ b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", - "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels)\nto perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nUAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the\nlocal administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows\ndirectory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- If any of the spawned processes are suspicious, retrieve them and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels)\nto perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nUAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the\nlocal administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows\ndirectory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": [ "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" @@ -40,7 +40,7 @@ "Windows", "Threat Detection", "Privilege Escalation", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -68,7 +68,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "290aca65-e94d-403b-ba0f-62f320e63f51", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086.json index 1bc1606f9fd..f4101878a1b 100644 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086.json +++ b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086.json @@ -19,7 +19,9 @@ "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web\nscript that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a\nnetwork. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the\nweb server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating\nattackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file\nmodifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently\nmalicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\")\n", "references": [ - "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/" + "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", + "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" ], "required_fields": [ { @@ -47,7 +49,8 @@ "Host", "Windows", "Threat Detection", - "Persistence" + "Persistence", + "Investigation Guide" ], "threat": [ { @@ -90,7 +93,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "2917d495-59bd-4250-b395-c29409b76086", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4.json index bd874e6db0f..3ba35bc1052 100644 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4.json +++ b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", - "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known\nlegitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack,\nsuch as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network\nconnections.\n- Retrieve the process executable and determine if it is malicious:\n - Check if the file belongs to the operating system or has a valid digital signature.\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known\nlegitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack,\nsuch as mapping targets for credential compromise and other post-exploitation activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network\nconnections.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "iam where event.action == \"user-member-enumerated\" and\n\n /* excluding machine account */\n not winlog.event_data.SubjectUserName: (\"*$\", \"LOCAL SERVICE\", \"NETWORK SERVICE\") and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"-\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\WindowsAzure\\\\*\\\\WaAppAgent.exe\",\n \"?:\\\\Windows\\\\System32\\\\vssadmin.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\SettingSyncHost.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\",\n \"?:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\esentutl.exe\",\n \"?:\\\\Windows\\\\System32\\\\RecoveryDrive.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\") and\n\n /* privileged local groups */\n (group.name:(\"admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n", "required_fields": [ { @@ -51,7 +51,7 @@ "Windows", "Threat Detection", "Discovery", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -79,7 +79,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "291a0de9-937a-4189-94c0-3e847c8b13e4", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba.json b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba.json index c2018dcdd3c..c2ccbf5cc67 100644 --- a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba.json +++ b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba.json @@ -5,7 +5,7 @@ ], "description": "This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.", "false_positives": [ - "An administrator may need to attach a hostPath volume for a legitimate reason. This alert should be investigated for legitimacy by determining if the kuberenetes.audit.requestObject.spec.volumes.hostPath.path triggered is one needed by its target container/pod. For example, when the fleet managed elastic agent is deployed as a daemonset it creates several hostPath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and /var/log." + "An administrator may need to attach a hostPath volume for a legitimate reason. This alert should be investigated for legitimacy by determining if the kuberenetes.audit.requestObject.spec.volumes.hostPath.path triggered is one needed by its target container/pod. For example, when the fleet managed elastic agent is deployed as a daemonset it creates several hostPath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and /var/log. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" ], "index": [ "logs-kubernetes.*" @@ -14,17 +14,38 @@ "license": "Elastic License v2", "name": "Kubernetes Pod created with a Sensitive hostPath Volume", "note": "", - "query": "kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.volumes.hostPath.path:(\"/\" or \"/proc\" or \"/root\" or \"/var\" or \"/var/run/docker.sock\" or \"/var/run/crio/crio.sock\" or \"/var/run/cri-dockerd.sock\" or \"/var/lib/kubelet\" or \"/var/lib/kubelet/pki\" or \"/var/lib/docker/overlay2\" or \"/etc\" or \"/etc/kubernetes\" or \"/etc/kubernetes/manifests\" or \"/home/admin\")\n", + "query": "event.dataset : \"kubernetes.audit_logs\" \n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\" \n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.volumes.hostPath.path:\n (\"/\" or \n \"/proc\" or \n \"/root\" or \n \"/var\" or \n \"/var/run\" or \n \"/var/run/docker.sock\" or \n \"/var/run/crio/crio.sock\" or \n \"/var/run/cri-dockerd.sock\" or \n \"/var/lib/kubelet\" or \n \"/var/lib/kubelet/pki\" or \n \"/var/lib/docker/overlay2\" or \n \"/etc\" or \n \"/etc/kubernetes\" or \n \"/etc/kubernetes/manifests\" or \n \"/etc/kubernetes/pki\" or\n \"/home/admin\")\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": [ "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath" ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, { "ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown" }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, { "ecs": false, "name": "kubernetes.audit.requestObject.spec.volumes.hostPath.path", @@ -62,11 +83,26 @@ "reference": "https://attack.mitre.org/techniques/T1611/" } ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] } ], "timestamp_override": "event.ingested", "type": "query", - "version": 100 + "version": 200 }, "id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86.json index 7ac5b599f0f..5aaa809f747 100644 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86.json +++ b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", - "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched\nwhenever Adobe Acrobat Reader is executed.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched\nwhenever Adobe Acrobat Reader is executed.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "file where event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": [ "https://twitter.com/pabraeken/status/997997818362155008" @@ -45,7 +45,7 @@ "Windows", "Threat Detection", "Persistence", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -73,7 +73,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b.json index 3ae6d7cf88f..1affc3c5ee5 100644 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b.json +++ b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -50,7 +51,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -105,7 +107,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a.json index cea65683b13..63200921d3d 100644 --- a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a.json +++ b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a.json @@ -8,7 +8,8 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -60,7 +61,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -81,7 +83,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a.json index b2cae18a27e..ebde03c4545 100644 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a.json +++ b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", - "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is\nmalicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system\ncalls to bypass security solutions that rely on hooks.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting\nSSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is\nmalicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system\ncalls to bypass security solutions that rely on hooks.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting\nSSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.code == \"10\" and\n length(winlog.event_data.CallTrace) \u003e 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": [ "https://twitter.com/SBousseaden/status/1278013896440324096", @@ -50,7 +50,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Sysmon Only" ], "threat": [ { @@ -71,7 +72,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "2dd480be-1263-4d9c-8672-172928f6789a", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600.json new file mode 100644 index 00000000000..593dd394696 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Wireless Credential Dumping using Netsh Command", + "note": "", + "query": "process where event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", + "references": [ + "https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", + "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Discovery", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json index fa4656d5b7e..709db421744 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json +++ b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -41,7 +42,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -69,7 +71,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d.json index a6e24e06bb5..b1891ffb725 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d.json +++ b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d.json @@ -20,7 +20,8 @@ "references": [ "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", - "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1" + "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", + "https://www.elastic.co/security-labs/detect-credential-access" ], "required_fields": [ { @@ -44,7 +45,7 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -77,7 +78,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "2e29e96a-b67c-455a-afe4-de6183431d0d", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json index e2cadca0a0e..d05678fb48b 100644 --- a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json +++ b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json @@ -36,7 +36,7 @@ "Windows", "Threat Detection", "Persistence", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -64,7 +64,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/2f0bae2d-bf20-4465-be86-1311addebaa3.json b/packages/security_detection_engine/kibana/security_rule/2f0bae2d-bf20-4465-be86-1311addebaa3.json deleted file mode 100644 index aae11fd1950..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f0bae2d-bf20-4465-be86-1311addebaa3.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies the creation or patching of potentially malicious role bindings. Users can use role bindings and cluster role bindings to assign roles to Kubernetes subjects (users, groups, or service accounts).", - "from": "now-20m", - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Kubernetes Rolebindings Created or Patched", - "note": "", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(io.k8s.authorization.rbac.v*.clusterrolebindings.create or\nio.k8s.authorization.rbac.v*.rolebindings.create or io.k8s.authorization.rbac.v*.clusterrolebindings.patch or\nio.k8s.authorization.rbac.v*.rolebindings.patch) and event.outcome:success and\nnot gcp.audit.authentication_info.principal_email:\"system:addon-manager\"\n", - "references": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/", - "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.2.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": false, - "name": "gcp.audit.authentication_info.principal_email", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "2f0bae2d-bf20-4465-be86-1311addebaa3", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 101 - }, - "id": "2f0bae2d-bf20-4465-be86-1311addebaa3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43.json index f3e60e1e2bc..365d813d7b8 100644 --- a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43.json +++ b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43.json @@ -39,7 +39,7 @@ "Windows", "Threat Detection", "Collection", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -82,7 +82,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f.json b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f.json index f4e83ca8869..1b3a3a0f411 100644 --- a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f.json +++ b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup Folder Persistence via Unsigned Process", - "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account\nlogon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based\non new software installations, patches, or any kind of network administrator related activity. Before undertaking further\ninvestigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account\nlogon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based\non new software installations, patches, or any kind of network administrator related activity. Before undertaking further\ninvestigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where event.type == \"start\" and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\",\n \"C:\\\\ProgramData\\\\*.exe\",\n \"C:\\\\Windows\\\\Temp\\\\*.exe\",\n \"C:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"C:\\\\Intel\\\\*.exe\",\n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", "required_fields": [ { @@ -59,7 +59,7 @@ "Windows", "Threat Detection", "Persistence", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -86,7 +86,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb.json index 83d9e3df37e..890d9351eca 100644 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb.json +++ b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb.json @@ -8,13 +8,14 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Disabled via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple\nenvironments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity,\nthe configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting),\nand no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", - "query": "registry where event.type in (\"creation\", \"change\") and\n (\n (\n registry.path:\"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path:\"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\" and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not process.executable :\n (\"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\")\n", + "query": "registry where event.type in (\"creation\", \"change\") and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not process.executable :\n (\"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\")\n", "references": [ "https://thedfirreport.com/2020/12/13/defender-control/" ], @@ -50,7 +51,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -83,7 +85,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170.json b/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170.json index c54b7ab4519..34435e8fb83 100644 --- a/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170.json +++ b/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170.json @@ -24,7 +24,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -70,7 +70,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "30562697-9859-4ae0-a8c5-dab45d664170", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json index d4eb05ab504..07b3b2f2f0c 100644 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json +++ b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", - "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels)\nto perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nUAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the\nlocal administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command`\nregistry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location\nof another binary or script is added to this registry value, it will be executed as a high-integrity process without a\nUAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by\n`eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels)\nto perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nUAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the\nlocal administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command`\nregistry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location\nof another binary or script is added to this registry value, it will be executed as a high-integrity process without a\nUAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by\n`eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "required_fields": [ { @@ -42,7 +42,7 @@ "Windows", "Threat Detection", "Privilege Escalation", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -70,7 +70,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72.json b/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72.json index 4b0d3f63a18..62439cf26bd 100644 --- a/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72.json +++ b/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72.json @@ -23,7 +23,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -74,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "3202e172-01b1-4738-a932-d024c514ba72", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json index 49e07e50401..3d50d9eeb4b 100644 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json +++ b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -36,7 +37,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -64,7 +66,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e.json index 0a1aa5d22b7..db23de77cf9 100644 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e.json +++ b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e.json @@ -42,7 +42,7 @@ "Windows", "Threat Detection", "Initial Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -70,7 +70,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0.json b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0.json index accd3026c49..3adf7d43c87 100644 --- a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0.json +++ b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0.json @@ -63,7 +63,7 @@ "Identity and Access", "Credential Access", "Persistence", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -93,7 +93,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "333de828-8190-4cf5-8d7c-7575846f6fe0", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d.json index a403a71befc..ce854531953 100644 --- a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d.json +++ b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it\navailable for use in various environments and creates an attractive way for attackers to execute code and perform\nactions. This rule correlates network and file events to detect downloads of executable and script files performed using\nPowerShell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert\nif the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it\navailable for use in various environments and creates an attractive way for attackers to execute code and perform\nactions. This rule correlates network and file events to detect downloads of executable and script files performed using\nPowerShell.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert\nif the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and\n not user.domain : \"NT AUTHORITY\"]\n [file where process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", "required_fields": [ { @@ -71,7 +71,7 @@ "Windows", "Threat Detection", "Command and Control", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -113,7 +113,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "33f306e8-417c-411b-965c-c2812d6d3f4d", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269.json b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269.json index ca8940a5d9a..c80b865ed61 100644 --- a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269.json +++ b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269.json @@ -16,14 +16,19 @@ ], "language": "kuery", "license": "Elastic License v2", - "name": "Telnet Port Activity", - "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23\n", + "name": "Accepted Default Telnet Port Connection", + "query": "event.category:(network or network_traffic) and destination.port:23\n and network.direction:(inbound or ingress or outbound or egress)\n and not event.action:(\n flow_dropped or denied or deny or\n flow_terminated or timeout or Reject or network_flow)\n", "required_fields": [ { "ecs": true, "name": "destination.port", "type": "long" }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, { "ecs": true, "name": "event.category", @@ -31,7 +36,7 @@ }, { "ecs": true, - "name": "network.transport", + "name": "network.direction", "type": "keyword" } ], @@ -44,7 +49,9 @@ "Network", "Threat Detection", "Command and Control", - "Host" + "Host", + "Lateral Movement", + "Initial Access" ], "threat": [ { @@ -91,7 +98,7 @@ "timeline_title": "Comprehensive Network Timeline", "timestamp_override": "event.ingested", "type": "query", - "version": 100 + "version": 101 }, "id": "34fde489-94b0-4500-a76f-b8a157cf9269", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json index 12b2b1a180c..21ae48ea85e 100644 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json +++ b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json @@ -8,13 +8,14 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Port Forwarding Rule Addition", "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to\nany other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box\nto access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred,\nand inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity\nand there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", - "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n", + "query": "registry where registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", "references": [ "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html" ], @@ -35,7 +36,8 @@ "Windows", "Threat Detection", "Command and Control", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -56,7 +58,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b.json index 7c4df6c8352..faed54599f8 100644 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b.json +++ b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", - "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these\ncharacteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the\nsystem and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these\ncharacteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the\nsystem and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": [ "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", @@ -46,7 +46,7 @@ "Windows", "Threat Detection", "Privilege Escalation", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -74,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce.json index 3b75841739c..845a97f6a67 100644 --- a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce.json +++ b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce.json @@ -19,7 +19,8 @@ "references": [ "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", - "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf" + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" ], "required_fields": [ { @@ -68,7 +69,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "3688577a-d196-11ec-90b0-f661ea17fbce", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77.json b/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77.json index 5954f439293..309316a607e 100644 --- a/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77.json +++ b/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77.json @@ -59,7 +59,7 @@ "Continuous Monitoring", "SecOps", "Identity and Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -80,7 +80,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "37994bca-0611-4500-ab67-5588afe73b77", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa.json b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa.json index b5339cd7b09..408ed414433 100644 --- a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa.json +++ b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa.json @@ -62,7 +62,7 @@ "SecOps", "Log Auditing", "Initial Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -90,7 +90,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0.json index a59ecf8ef89..2e85d320975 100644 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0.json +++ b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0.json @@ -15,7 +15,8 @@ "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -66,7 +67,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8.json index b855b29b096..3cbbdd3251b 100644 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8.json +++ b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources\nin order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in\n[IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Retrieve the downloaded file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified\nanything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources\nin order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in\n[IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified\nanything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", @@ -50,7 +50,7 @@ "Windows", "Threat Detection", "Command and Control", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -70,7 +70,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20.json index 777c213696b..d99cb2ed372 100644 --- a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20.json +++ b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "kuery", "license": "Elastic License v2", @@ -49,7 +50,8 @@ "Windows", "Threat Detection", "Command and Control", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -82,7 +84,7 @@ "value": 15 }, "type": "threshold", - "version": 101 + "version": 102 }, "id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1.json index 6e75efb119a..2f62aeb55e5 100644 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1.json +++ b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -41,7 +42,8 @@ "Host", "Windows", "Threat Detection", - "Execution" + "Execution", + "Elastic Endgame" ], "threat": [ { @@ -62,7 +64,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "3b47900d-e793-49e8-968f-c90dc3526aa1", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f.json index 966c75c5232..0b41d3d4463 100644 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f.json +++ b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f.json @@ -9,7 +9,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -19,7 +20,8 @@ "query": "process where event.type == \"start\" and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n", "references": [ "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy" + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", + "https://www.elastic.co/security-labs/detect-credential-access" ], "required_fields": [ { @@ -47,7 +49,8 @@ "Host", "Windows", "Threat Detection", - "Credential Access" + "Credential Access", + "Elastic Endgame" ], "threat": [ { @@ -75,7 +78,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d.json b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d.json index 76d7024f6bf..5316be2658e 100644 --- a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d.json +++ b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d.json @@ -62,7 +62,7 @@ "Continuous Monitoring", "SecOps", "Log Auditing", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -105,7 +105,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "3e002465-876f-4f04-b016-84ef48ce7e5d", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72.json b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72.json index dbe4199228c..4cbaffb9fa7 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72.json +++ b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72.json @@ -74,7 +74,9 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Investigation Guide", + "Sysmon Only" ], "threat": [ { @@ -94,7 +96,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce.json index f2807b2c66e..3509ec47c07 100644 --- a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce.json +++ b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce.json @@ -17,7 +17,8 @@ "query": "process where event.type == \"start\" and\n event.action == \"exec\" and user.name == \"root\" and\n process.executable : (\n \"/dev/shm/*\",\n \"/run/shm/*\",\n \"/var/run/*\",\n \"/var/lock/*\"\n ) and\n not process.executable : ( \"/var/run/docker/*\")\n", "references": [ "https://linuxsecurity.com/features/fileless-malware-on-linux", - "https://twitter.com/GossiTheDog/status/1522964028284411907" + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" ], "required_fields": [ { @@ -71,7 +72,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec.json index 120bcb4f8ff..ca7f648c355 100644 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec.json +++ b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec.json @@ -8,7 +8,8 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -44,7 +45,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -72,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "416697ae-e468-4093-a93d-59661fa619ec", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0.json index 0089bc77640..f3d6afe99c3 100644 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0.json +++ b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0.json @@ -18,7 +18,8 @@ "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -79,7 +80,7 @@ "value": 25 }, "type": "threshold", - "version": 101 + "version": 102 }, "id": "42bf698b-4738-445b-8231-c834ddefd8a0", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266.json index de96a5f3215..cbe04cdcc47 100644 --- a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266.json +++ b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266.json @@ -13,7 +13,7 @@ "license": "Elastic License v2", "name": "Process Creation via Secondary Logon", "note": "", - "query": "sequence by host.id with maxspan=1m\n\n[authentication where event.action:\"logged-in\" and\n event.outcome == \"success\" and user.id:\"S-1-5-21-*\" and\n\n /* seclogon service */\n process.name == \"svchost.exe\" and \n winlog.event_data.LogonProcessName : \"seclogo*\" and source.ip == \"::1\" ] by winlog.event_data.TargetLogonId\n\n[process where event.type == \"start\"] by winlog.event_data.TargetLogonId\n", + "query": "sequence by host.id with maxspan=1m\n\n[authentication where event.action:\"logged-in\" and\n event.outcome == \"success\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* seclogon service */\n process.name == \"svchost.exe\" and \n winlog.event_data.LogonProcessName : \"seclogo*\" and source.ip == \"::1\" ] by winlog.event_data.TargetLogonId\n\n[process where event.type == \"start\"] by winlog.event_data.TargetLogonId\n", "references": [ "https://attack.mitre.org/techniques/T1134/002/" ], @@ -105,7 +105,7 @@ } ], "type": "eql", - "version": 1 + "version": 2 }, "id": "42eeee3d-947f-46d3-a14d-7036b962c266", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde.json index 056895d14d8..642814f4c6b 100644 --- a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde.json +++ b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde.json @@ -13,8 +13,11 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup Persistence by a Suspicious Process", - "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account\nlogon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation,\nverify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account\nlogon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation,\nverify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "file where event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], "required_fields": [ { "ecs": true, @@ -47,7 +50,7 @@ "Windows", "Threat Detection", "Persistence", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -75,7 +78,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "440e2db4-bc7f-4c96-a068-65b78da59bde", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96.json index 0322ff0fb89..6df5e7bed05 100644 --- a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96.json +++ b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96.json @@ -15,7 +15,8 @@ "note": "", "query": "sequence by host.id, winlog.process.pid with maxspan=1s\n\n /* 2 consecutive vault reads from same pid for web creds */\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" or winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\"]\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" or winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\"]\n", "references": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382" + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", + "https://www.elastic.co/security-labs/detect-credential-access" ], "required_fields": [ { @@ -90,7 +91,7 @@ } ], "type": "eql", - "version": 1 + "version": 2 }, "id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7.json b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7.json index e5216b45f13..c6e9bf9a844 100644 --- a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7.json +++ b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7.json @@ -31,7 +31,7 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -59,7 +59,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "45ac4800-840f-414c-b221-53dd36a5aaf7", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21.json index c5dc94d9a00..5831d685266 100644 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21.json +++ b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21.json @@ -8,7 +8,8 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -55,7 +56,8 @@ "Windows", "Threat Detection", "Collection", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -83,7 +85,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "45d273fb-1dca-457d-9855-bcb302180c21", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db.json index d3fc0b38e1b..a9cbf5bf1e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db.json +++ b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -41,7 +42,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -80,7 +82,7 @@ "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6.json index 364616f2a88..3a4ce2a0ed6 100644 --- a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6.json +++ b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -44,7 +45,8 @@ "Host", "Windows", "Threat Detection", - "Credential Access" + "Credential Access", + "Elastic Endgame" ], "threat": [ { @@ -65,7 +67,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2.json index 0cc1e88d65b..f20ac59fb12 100644 --- a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2.json +++ b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2.json @@ -16,7 +16,8 @@ "query": "sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\" and\n\n /* excluding accounts with existing privileged access */\n not winlog.event_data.PrivilegeList : \"SeDebugPrivilege\"]\n [any where event.action == \"Detailed File Share\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", "references": [ "https://github.com/mpgn/BackupOperatorToDA", - "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp" + "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", + "https://www.elastic.co/security-labs/detect-credential-access" ], "required_fields": [ { @@ -56,7 +57,7 @@ "Threat Detection", "Lateral Movement", "Credential Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -98,7 +99,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9.json index 1b340edb7b7..34ca569092d 100644 --- a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9.json +++ b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -42,7 +43,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -70,7 +72,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242.json index f1f7a305159..e6127c35a14 100644 --- a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242.json +++ b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242.json @@ -8,7 +8,8 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -41,7 +42,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -69,7 +71,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6.json b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6.json index 5f500d812c2..4d20b88882d 100644 --- a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6.json +++ b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6.json @@ -40,7 +40,8 @@ "Host", "Windows", "Threat Detection", - "Discovery" + "Discovery", + "Investigation Guide" ], "threat": [ { @@ -88,7 +89,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 }, "id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc.json index ecc773c322c..4e8104613f6 100644 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc.json +++ b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc.json @@ -10,7 +10,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -53,7 +54,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -93,7 +95,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461.json index d6588e2e610..2f568ab14ef 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461.json +++ b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -49,7 +50,9 @@ "Host", "Windows", "Threat Detection", - "Execution" + "Execution", + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -70,7 +73,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "4ed493fc-d637-4a36-80ff-ac84937e5461", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613.json index 8c3649f1b07..92b45b47904 100644 --- a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613.json +++ b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613.json @@ -14,6 +14,11 @@ "name": "Unauthorized Access to an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], "related_integrations": [ { "package": "okta", @@ -90,7 +95,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305.json b/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305.json index b2749ad7911..edfd714574f 100644 --- a/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305.json +++ b/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305.json @@ -23,7 +23,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -74,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "51859fa0-d86b-4214-bf48-ebb30ed91305", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886.json b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886.json index e9bbe503352..287d62ea75e 100644 --- a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886.json +++ b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886.json @@ -60,7 +60,7 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -87,7 +87,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14.json index 09c1e3d54d5..a305f1676b1 100644 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14.json +++ b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -42,7 +43,8 @@ "Windows", "Threat Detection", "Execution", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -63,7 +65,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "53a26770-9cbd-40c5-8b57-61d01a325e14", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936.json index ca45db7d333..1fd635ae732 100644 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936.json +++ b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936.json @@ -9,12 +9,13 @@ ], "from": "now-9m", "index": [ - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Network Logon Provider Registry Modification", - "query": "registry where registry.data.strings != null and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\" and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not ( user.id : \"S-1-5-18\" and\n registry.data.strings in\n (\"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\")\n )\n", + "query": "registry where registry.data.strings != null and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not ( user.id : \"S-1-5-18\" and\n registry.data.strings in\n (\"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\")\n )\n", "references": [ "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify" @@ -45,7 +46,8 @@ "Windows", "Threat Detection", "Persistence", - "Credential Access" + "Credential Access", + "Elastic Endgame" ], "threat": [ { @@ -81,7 +83,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce.json b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce.json index c64b636fae0..feed8a78b42 100644 --- a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce.json +++ b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce.json @@ -59,7 +59,7 @@ "Windows", "Threat Detection", "Execution", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -95,7 +95,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json b/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json index 8785550d70b..4b80df28eb9 100644 --- a/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json +++ b/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json @@ -24,7 +24,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -75,7 +75,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe.json index 40ceab1123f..30a0cd2c73a 100644 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe.json +++ b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", - "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to\ncreate enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and\nmalware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through\nPowerShell, enabling defenders to discover tools being dropped in the environment.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The\nscript content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id`\nfor filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Retrieve the script and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to\ncreate enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and\nmalware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through\nPowerShell, enabling defenders to discover tools being dropped in the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The\nscript content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id`\nfor filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.category:process and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n )\n", "references": [ "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", @@ -43,7 +43,7 @@ "Windows", "Threat Detection", "Execution", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -76,7 +76,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77.json b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77.json index 023d160fa4a..b3b10a422ad 100644 --- a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77.json +++ b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77.json @@ -44,7 +44,7 @@ "Windows", "Threat Detection", "Credential Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -94,7 +94,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "577ec21e-56fe-4065-91d8-45eb8224fe77", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59.json index ac8996bc596..154ec426941 100644 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59.json +++ b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59.json @@ -47,7 +47,7 @@ "Windows", "Threat Detection", "Impact", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -68,7 +68,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "581add16-df76-42bb-af8e-c979bfb39a59", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50.json index 3c5753d13c3..493ebc5e0bf 100644 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50.json +++ b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50.json @@ -57,7 +57,7 @@ "Windows", "Threat Detection", "Lateral Movement", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -85,7 +85,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b.json b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b.json index 06f650d7483..a0a8f79c4f1 100644 --- a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b.json +++ b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b.json @@ -71,7 +71,7 @@ "Windows", "Threat Detection", "Lateral Movement", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -103,7 +103,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607.json index 8ee0cb0d830..3c5e37ae8b9 100644 --- a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607.json +++ b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via InstallerFileTakeOver", - "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an\nunprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself\nto the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked),\nwhich is outside the scope of this rule.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an\nunprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself\nto the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked),\nwhich is outside the scope of this rule.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n )\n", "references": [ "https://github.com/klinix5/InstallerFileTakeOver" @@ -60,7 +60,7 @@ "Windows", "Threat Detection", "Privilege Escalation", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -81,7 +81,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3.json index 47b79f181fc..e557b3824a7 100644 --- a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3.json +++ b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3.json @@ -16,7 +16,8 @@ "note": "", "query": "file where event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", "references": [ - "https://github.com/hfiref0x/UACME" + "https://github.com/hfiref0x/UACME", + "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies" ], "required_fields": [ { @@ -77,7 +78,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5.json index a9ad5594593..fe6bff547e4 100644 --- a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5.json +++ b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -36,7 +37,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -64,7 +66,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json index 886b9b73f80..6e5b513252e 100644 --- a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json +++ b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json @@ -12,7 +12,7 @@ ], "language": "eql", "license": "Elastic License v2", - "name": "User Added to Privileged Group in Active Directory", + "name": "User Added to Privileged Group", "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are\ngranted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are\nuncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is\nlegitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account\nthis level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "iam where event.action == \"added-member-to-group\" and\n group.name : (\"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\")\n", "references": [ @@ -40,7 +40,7 @@ "Windows", "Threat Detection", "Persistence", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -61,7 +61,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31.json new file mode 100644 index 00000000000..4932cf644db --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via PowerShell profile", + "query": "file where event.type != \"deletion\" and\n file.path : (\"?:\\\\Users\\\\*\\\\Documents\\\\WindowsPowerShell\\\\*\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\PowerShell\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\*\") and\n file.name : (\"profile.ps1\", \"Microsoft.Powershell_profile.ps1\")\n", + "references": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.013", + "name": "PowerShell Profile", + "reference": "https://attack.mitre.org/techniques/T1546/013/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json b/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json index 21670037de6..0c86d76cae9 100644 --- a/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json +++ b/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json @@ -55,7 +55,7 @@ "Continuous Monitoring", "SecOps", "Identity and Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -83,7 +83,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267.json b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267.json index 2cab3d12cdd..3039bbe6d93 100644 --- a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267.json +++ b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267.json @@ -41,7 +41,7 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -61,7 +61,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "610949a1-312f-4e04-bb55-3a79b8c95267", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e.json index 8b5b23c9d45..d078cba7b91 100644 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e.json +++ b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e.json @@ -43,7 +43,7 @@ "Windows", "Threat Detection", "Discovery", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -103,7 +103,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "61ac3638-40a3-44b2-855a-985636ca985e", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7.json index a3e36cf5abe..66f9c45b016 100644 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7.json +++ b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7.json @@ -51,7 +51,7 @@ "Threat Detection", "Persistence", "Active Directory", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -66,7 +66,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2.json b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2.json index 5b4003be7d1..dcbd2db8184 100644 --- a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2.json +++ b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2.json @@ -53,7 +53,7 @@ "Threat Detection", "Persistence", "Active Directory", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -74,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "62a70f6f-3c37-43df-a556-f64fa475fba2", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002.json b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002.json new file mode 100644 index 00000000000..8bb78c5a724 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects a request to attach a controller service account to an existing or new pod running in the kube-system namespace. By default, controllers running as part of the API Server utilize admin-equivalent service accounts hosted in the kube-system namespace. Controller service accounts aren't normally assigned to running pods and could indicate adversary behavior within the cluster. An attacker that can create or modify pods or pod controllers in the kube-system namespace, can assign one of these admin-equivalent service accounts to a pod and abuse their powerful token to escalate privileges and gain complete cluster control.", + "false_positives": [ + "Controller service accounts aren't normally assigned to running pods, this is abnormal behavior with very few legitimate use-cases and should result in very few false positives." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Suspicious Assignment of Controller Service Account", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\" \n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb : \"create\" \n and kubernetes.audit.objectRef.resource : \"pods\"\n and kubernetes.audit.objectRef.namespace : \"kube-system\"\n and kubernetes.audit.requestObject.spec.serviceAccountName:*controller\n", + "references": [ + "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.namespace", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.serviceAccountName", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "63c05204-339a-11ed-a261-0242ac120002", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.001", + "name": "Default Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "63c05204-339a-11ed-a261-0242ac120002", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002.json b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002.json new file mode 100644 index 00000000000..52efc53be45 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.", + "false_positives": [ + "Unauthorized requests from service accounts are highly abnormal and more indicative of human behavior or a serious problem within the cluster. This behavior should be investigated further." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Denied Service Account Request", + "note": "", + "query": "event.dataset: \"kubernetes.audit_logs\" \n and kubernetes.audit.user.username: system\\:serviceaccount\\:* \n and kubernetes.audit.annotations.authorization_k8s_io/decision: \"forbid\" \n", + "references": [ + "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", + "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.user.username", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "63c056a0-339a-11ed-a261-0242ac120002", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1613", + "name": "Container and Resource Discovery", + "reference": "https://attack.mitre.org/techniques/T1613/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "63c056a0-339a-11ed-a261-0242ac120002", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002.json b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002.json new file mode 100644 index 00000000000..e654255005b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster. This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.", + "false_positives": [ + "Anonymous access to the API server is a dangerous setting enabled by default. Common anonymous connections (e.g., health checks) have been excluded from this rule. All other instances of authorized anonymous requests should be investigated." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Anonymous Request Authorized", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\" \n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\" \n and (kubernetes.audit.user.username:(\"system:anonymous\" or \"system:unauthenticated\") or not kubernetes.audit.user.username:*)\n and not kubernetes.audit.objectRef.resource:(\"healthz\" or \"livez\" or \"readyz\")\n", + "references": [ + "https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.user.username", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "63c057cc-339a-11ed-a261-0242ac120002", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Initial Access", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.001", + "name": "Default Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "63c057cc-339a-11ed-a261-0242ac120002", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed.json b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed.json index b50f74027a4..e5071a53472 100644 --- a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed.json +++ b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed.json @@ -14,13 +14,29 @@ "license": "Elastic License v2", "name": "Kubernetes Exposed Service Created With Type NodePort", "note": "", - "query": "kubernetes.audit.objectRef.resource:\"services\" and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\") and kubernetes.audit.requestObject.spec.type:\"NodePort\"\n", + "query": "event.dataset : \"kubernetes.audit_logs\" \n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\" \n and kubernetes.audit.objectRef.resource:\"services\" \n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\") \n and kubernetes.audit.requestObject.spec.type:\"NodePort\"\n", "references": [ "https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types", "https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport", "https://www.tigera.io/blog/new-vulnerability-exposes-kubernetes-to-man-in-the-middle-attacks-heres-how-to-mitigate/" ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, { "ecs": false, "name": "kubernetes.audit.objectRef.resource", @@ -67,7 +83,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 100 + "version": 200 }, "id": "65f9bccd-510b-40df-8263-334f03174fed", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32.json index 82a2eb7649f..70e0c4a94d8 100644 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32.json +++ b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32.json @@ -11,8 +11,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", - "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised\nsystem. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the\nlikelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can\nbe abused for exfiltration or command and control.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy\nfalse positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", - "query": "network where network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Discord\\\\app-*\\\\Discord.exe\"\n )\n", + "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised\nsystem. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the\nlikelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can\nbe abused for exfiltration or command and control.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy\nfalse positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "query": "network where network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Discord\\\\app-*\\\\Discord.exe\"\n )\n", "required_fields": [ { "ecs": true, @@ -49,7 +49,7 @@ "Windows", "Threat Detection", "Command and Control", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -97,7 +97,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313.json new file mode 100644 index 00000000000..86cc049ba0c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of the msPKIAccountCredentials", + "note": "", + "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", + "references": [ + "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", + "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.OperationType", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Active Directory", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json index 1c0a7367f47..f17628d5eb6 100644 --- a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json +++ b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json @@ -18,7 +18,8 @@ "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -77,7 +78,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json index ed94e221c85..d0e0664709d 100644 --- a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json +++ b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json @@ -18,7 +18,8 @@ "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -69,7 +70,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b.json index d0427e77075..5c79158541d 100644 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b.json +++ b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b.json @@ -44,7 +44,7 @@ "Linux", "Threat Detection", "Impact", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -70,7 +70,7 @@ "value": 10 }, "type": "threshold", - "version": 101 + "version": 102 }, "id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json b/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json index 4040c71bd7c..f9357a18434 100644 --- a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json +++ b/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json @@ -15,7 +15,8 @@ "query": "event.dataset:okta.system and event.action:security.threat.detected\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -49,7 +50,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json index b9abc5d2d36..d67ab3062a0 100644 --- a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json +++ b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json @@ -62,7 +62,7 @@ "Continuous Monitoring", "SecOps", "Log Auditing", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -105,7 +105,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b.json b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b.json new file mode 100644 index 00000000000..bcd65bd78f8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Xavier Pich" + ], + "description": "Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable.", + "false_positives": [ + "A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:(\"DisableKey\" or \"ScheduleKeyDeletion\") and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/cli/latest/reference/kms/disable-key.html", + "https://docs.aws.amazon.com/cli/latest/reference/kms/schedule-key-deletion.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6951f15e-533c-4a60-8014-a3c3ab851a1b", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Log Auditing", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "6951f15e-533c-4a60-8014-a3c3ab851a1b", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43.json b/packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43.json index 7212d8096ce..9f091ba5a75 100644 --- a/packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43.json +++ b/packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43.json @@ -65,7 +65,7 @@ "Continuous Monitoring", "SecOps", "Monitoring", - "has_guide" + "Investigation Guide" ], "threat_filters": [ { @@ -228,7 +228,7 @@ "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", - "version": 101 + "version": 102 }, "id": "699e9fdb-b77c-4c01-995c-1c15019b9c43", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff.json index c3b2d5bb681..a6d8ea6d2fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff.json +++ b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff.json @@ -47,7 +47,7 @@ "Windows", "Threat Detection", "Impact", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -68,7 +68,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db.json index 379c734e1cc..32de098ce98 100644 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db.json +++ b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db.json @@ -11,7 +11,8 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -49,7 +50,8 @@ "Windows", "Threat Detection", "Collection", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -82,7 +84,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "6aace640-e631-4870-ba8e-5fdda09325db", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3.json b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3.json index 784fa3a0b19..80c04cae786 100644 --- a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3.json +++ b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote Computer Account DnsHostName Update", - "query": "sequence by host.id with maxspan=5m\n\n [authentication where event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and event.outcome == \"success\" and\n not user.name == \"ANONYMOUS LOGON\" and not winlog.event_data.SubjectUserName : \"*$\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"] by winlog.event_data.TargetLogonId\n\n [iam where event.action == \"changed-computer-account\" and\n\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\n winlog.event_data.DnsHostName : \"??*\"] by winlog.event_data.SubjectLogonId\n", + "query": "sequence by host.id with maxspan=5m\n\n [authentication where event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and event.outcome == \"success\" and\n not user.name == \"ANONYMOUS LOGON\" and not winlog.event_data.SubjectUserName : \"*$\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"] by winlog.event_data.TargetLogonId\n\n [iam where event.action == \"changed-computer-account\" and\n\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\n winlog.event_data.DnsHostName : \"??*\" and \n \n /* exclude FPs where DnsHostName starts with the ComputerName that was changed */\n not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\n ] by winlog.event_data.SubjectLogonId\n", "references": [ "https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923" @@ -68,6 +68,11 @@ "name": "winlog.event_data.TargetLogonId", "type": "keyword" }, + { + "ecs": false, + "name": "winlog.event_data.TargetUserName", + "type": "keyword" + }, { "ecs": false, "name": "winlog.logon.type", @@ -115,7 +120,7 @@ } ], "type": "eql", - "version": 100 + "version": 101 }, "id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76.json index e35a66bd68b..40cfaea7364 100644 --- a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76.json +++ b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76.json @@ -29,7 +29,7 @@ "Threat Detection", "ML", "Persistence", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -56,7 +56,7 @@ } ], "type": "machine_learning", - "version": 101 + "version": 102 }, "id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922.json index ba699e4ed95..b85be75f645 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922.json +++ b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922.json @@ -8,7 +8,8 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -47,7 +48,8 @@ "Windows", "Threat Detection", "Discovery", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -75,7 +77,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab.json index 46e8b556f7f..14b32fe07c9 100644 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab.json +++ b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab.json @@ -62,7 +62,7 @@ "Continuous Monitoring", "SecOps", "Log Auditing", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -90,7 +90,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "7024e2a0-315d-4334-bb1a-441c593e16ab", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc.json index 4e538f8b084..5fd21dd51a2 100644 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc.json +++ b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc.json @@ -58,7 +58,7 @@ "Continuous Monitoring", "SecOps", "Monitoring", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -86,7 +86,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "7024e2a0-315d-4334-bb1a-552d604f27bc", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6.json index 6e275b41f31..8439dc5b317 100644 --- a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6.json +++ b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6.json @@ -13,7 +13,8 @@ "name": "Persistence via WMI Standard Registry Provider", "query": "registry where\n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\"\n )\n", "references": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov" + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" ], "required_fields": [ { @@ -95,7 +96,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002.json b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002.json new file mode 100644 index 00000000000..4d0ccefc3d0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster. The capabilities detected in this rule have been used in container escapes to the host machine.", + "false_positives": [ + "Some container images require the addition of privileged capabilities. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Container Created with Excessive Linux Capabilities", + "note": "## Triage and analysis\n\n### Investigating Kubernetes Container Created with Excessive Linux Capabilities\n\nLinux capabilities were designed to divide root privileges into smaller units. Each capability grants a thread just enough power to perform specific privileged tasks. In Kubernetes, containers are given a set of default capabilities that can be dropped or added to at the time of creation. Added capabilities entitle containers in a pod with additional privileges that can be used to change\ncore processes, change network settings of a cluster, or directly access the underlying host. The following have been used in container escape techniques:\n\nBPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more. \nDAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks. \nNET_ADMIN - Perform various network-related operations. \nSYS_ADMIN - Perform a range of system administration operations. \nSYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. \nSYS_MODULE - Load and unload kernel modules. \nSYS_PTRACE - Trace arbitrary processes using ptrace(2).\nSYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)). \nSYSLOG - Perform privileged syslog(2) operations.\n\n### False positive analysis\n\n- While these capabilities are not included by default in containers, some legitimate images may need to add them. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image.", + "query": "event.dataset: kubernetes.audit_logs \n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb: create \n and kubernetes.audit.objectRef.resource: pods \n and kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: (\"BPF\" or \"DAC_READ_SEARCH\" or \"NET_ADMIN\" or \"SYS_ADMIN\" or \"SYS_BOOT\" or \"SYS_MODULE\" or \"SYS_PTRACE\" or \"SYS_RAWIO\" or \"SYSLOG\") \n and not kubernetes.audit.requestObject.spec.containers.image : (\"docker.elastic.co/beats/elastic-agent:8.4.0\" or \"rancher/klipper-lb:v0.3.5\" or \"\")\n", + "references": [ + "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container", + "https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities", + "https://man7.org/linux/man-pages/man7/capabilities.7.html", + "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "7164081a-3930-11ed-a261-0242ac120002", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "7164081a-3930-11ed-a261-0242ac120002", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95.json index 6a51ba0fd64..c1b8b736606 100644 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95.json +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", - "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are\nbuilt up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty,\ncontains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the\ncreation of alternate data streams on highly targeted file types.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the\nfollowing PowerShell cmdlet to accomplish this:\n - `Get-Content -file C:\\Path\\To\\file.exe -stream ADSname`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination\nof process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are\nbuilt up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty,\ncontains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the\ncreation of alternate data streams on highly targeted file types.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the\nfollowing PowerShell cmdlet to accomplish this:\n - `Get-Content -file C:\\Path\\To\\file.exe -stream ADSname`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination\nof process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "file where event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "required_fields": [ { @@ -46,7 +46,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Investigation Guide" ], "threat": [ { @@ -74,7 +75,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "71bccb61-e19b-452f-b104-79a60e546a95", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181.json index c3de7026fe1..34dddad8169 100644 --- a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181.json +++ b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181.json @@ -18,7 +18,8 @@ "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -69,7 +70,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "729aa18d-06a6-41c7-b175-b65b739b1181", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json index fe962b7e90b..5c70587b6ec 100644 --- a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json +++ b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Modification of Accessibility Binaries", - "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by\naccessibility features. Windows contains accessibility features that may be launched with a key combination before a\nuser has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs\nare launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features\nbinaries' original file names, which is likely a custom binary deployed by the attacker.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive\n(B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by\naccessibility features. Windows contains accessibility features that may be launched with a key combination before a\nuser has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs\nare launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features\nbinaries' original file names, which is likely a custom binary deployed by the attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive\n(B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", "references": [ "https://www.elastic.co/blog/practical-security-engineering-stateful-detection" @@ -55,7 +55,7 @@ "Windows", "Threat Detection", "Persistence", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -105,7 +105,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d.json b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d.json index a34d3c70b81..95e14cf3980 100644 --- a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d.json +++ b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d.json @@ -3,9 +3,9 @@ "author": [ "Elastic" ], - "description": "This rule detects an attempt to create or modify a pod using the host IPC namespace. This gives access to data used by any pod that also use the host\ufffds IPC namespace. If any process on the host or any processes in a pod uses the host\ufffds inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. They may look for files in /dev/shm or use ipcs to check for any IPC facilities being used.", + "description": "This rule detects an attempt to create or modify a pod using the host IPC namespace. This gives access to data used by any pod that also use the hosts IPC namespace. If any process on the host or any processes in a pod uses the hosts inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. They may look for files in /dev/shm or use ipcs to check for any IPC facilities being used.", "false_positives": [ - "An administrator or developer may want to use a pod that runs as root and shares the host\ufffds IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective." + "An administrator or developer may want to use a pod that runs as root and shares the host's IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" ], "index": [ "logs-kubernetes.*" @@ -14,18 +14,39 @@ "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostIPC", "note": "", - "query": "kubernetes.audit.objectRef.resource:\"pods\" and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\") and kubernetes.audit.requestObject.spec.hostIPC:true\n", + "query": "event.dataset : \"kubernetes.audit_logs\" \n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\" \n and kubernetes.audit.objectRef.resource:\"pods\" \n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\") \n and kubernetes.audit.requestObject.spec.hostIPC:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": [ "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, { "ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown" }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, { "ecs": false, "name": "kubernetes.audit.requestObject.spec.hostIPC", @@ -63,11 +84,26 @@ "reference": "https://attack.mitre.org/techniques/T1611/" } ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] } ], "timestamp_override": "event.ingested", "type": "query", - "version": 100 + "version": 200 }, "id": "764c8437-a581-4537-8060-1fdb0e92c92d", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66.json new file mode 100644 index 00000000000..805688a74cd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Access to a Sensitive LDAP Attribute", + "note": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "query": "any where event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n )\n", + "references": [ + "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", + "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", + "setup": "", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241.json b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241.json index da451f6ffda..a30c522e229 100644 --- a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241.json +++ b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241.json @@ -40,7 +40,8 @@ "Host", "Windows", "Threat Detection", - "Privilege Escalation" + "Privilege Escalation", + "Sysmon Only" ], "threat": [ { @@ -61,7 +62,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "76ddb638-abf7-42d5-be22-4a70b0bf7241", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json index cc72bc58640..4b3dfea680c 100644 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json +++ b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json @@ -8,7 +8,8 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -40,7 +41,8 @@ "Windows", "Threat Detection", "Command and Control", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -61,7 +63,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470.json index 020ba09c4b6..d8056378ace 100644 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470.json +++ b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -41,7 +42,8 @@ "Host", "Windows", "Threat Detection", - "Execution" + "Execution", + "Elastic Endgame" ], "threat": [ { @@ -87,7 +89,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69.json b/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69.json index 95cc8eb66b8..57f21e3c566 100644 --- a/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69.json +++ b/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69.json @@ -13,7 +13,7 @@ "license": "Elastic License v2", "max_signals": 10000, "name": "Adversary Behavior - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)\n", + "query": "event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event)\n", "required_fields": [ { "ecs": false, @@ -44,7 +44,7 @@ "Elastic Endgame" ], "type": "query", - "version": 100 + "version": 101 }, "id": "77a3c3df-8ec4-4da4-b758-878f551dee69", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80.json b/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80.json index 69cc4069e4f..7dabac39ac3 100644 --- a/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80.json +++ b/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80.json @@ -52,7 +52,7 @@ "Continuous Monitoring", "SecOps", "Identity and Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -88,7 +88,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "7882cebf-6cf1-4de3-9662-213aa13e8b80", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670.json b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670.json index 49e037410d3..db2a90ffb45 100644 --- a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670.json +++ b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670.json @@ -27,10 +27,10 @@ "Cloud", "AWS", "ML", - "has_guide" + "Investigation Guide" ], "type": "machine_learning", - "version": 101 + "version": 102 }, "id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json b/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json index 93167e8d9b1..008d53c7687 100644 --- a/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json +++ b/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json @@ -19,7 +19,8 @@ "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts", - "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault" + "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault", + "https://www.elastic.co/security-labs/detect-credential-access" ], "related_integrations": [ { @@ -83,7 +84,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de.json index 5cc1d93b32b..db6f16caa5e 100644 --- a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de.json +++ b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de.json @@ -16,11 +16,12 @@ "license": "Elastic License v2", "name": "Potential Shadow Credentials added to AD Object", "note": "", - "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\"\n", + "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and winlog.event_data.AttributeValue :B\\:828*\n", "references": [ "https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", - "https://github.com/OTRF/Set-AuditRule" + "https://github.com/OTRF/Set-AuditRule", + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/" ], "required_fields": [ { @@ -37,6 +38,11 @@ "ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" } ], "risk_score": 73, @@ -70,7 +76,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 100 + "version": 101 }, "id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1.json index b441bfab2cb..8a444341c0d 100644 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1.json +++ b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1.json @@ -8,7 +8,8 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -52,7 +53,8 @@ "Windows", "Threat Detection", "Discovery", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -78,7 +80,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7.json index 18872760ee6..053ee38bc83 100644 --- a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7.json +++ b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7.json @@ -53,7 +53,8 @@ "Host", "Windows", "Threat Detection", - "Credential Access" + "Credential Access", + "Sysmon Only" ], "threat": [ { @@ -81,7 +82,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623.json b/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623.json index 2cf2e1454ae..8b79f64a21f 100644 --- a/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623.json +++ b/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623.json @@ -23,7 +23,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -74,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "7ceb2216-47dd-4e64-9433-cddc99727623", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276.json b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276.json index 7c2de074f5a..9e5f13c8724 100644 --- a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276.json +++ b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276.json @@ -27,10 +27,10 @@ "Cloud", "AWS", "ML", - "has_guide" + "Investigation Guide" ], "type": "machine_learning", - "version": 101 + "version": 102 }, "id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6.json index 84fa1a7c3b2..f65c16185c4 100644 --- a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6.json +++ b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6.json @@ -8,13 +8,14 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "PowerShell Script Block Logging Disabled", "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making\nit available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it\nprocesses, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", - "query": "registry where event.type == \"change\" and\n registry.path :\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n and registry.data.strings : (\"0\", \"0x00000000\")\n", + "query": "registry where event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", "references": [ "https://admx.help/?Category=Windows_10_2016\u0026Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging" ], @@ -45,7 +46,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -73,7 +75,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a.json index 71121cf5285..d7e497a3a15 100644 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a.json +++ b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", - "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the\ndisk. This strategy can circumvent string and file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Retrieve the script and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did\nnot identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the\ndisk. This strategy can circumvent string and file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did\nnot identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.category:process and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n )\n", "required_fields": [ { @@ -39,7 +39,7 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -87,7 +87,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe.json b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe.json index 404ffb290df..54a82d1f237 100644 --- a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe.json +++ b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Temporarily Scheduled Task Creation", - "query": "sequence by host.id, winlog.event_data.TaskName with maxspan=5m\n [iam where event.action == \"scheduled-task-created\"]\n [iam where event.action == \"scheduled-task-deleted\"]\n", + "query": "sequence by host.id, winlog.event_data.TaskName with maxspan=5m\n [iam where event.action == \"scheduled-task-created\" and not user.name : \"*$\"]\n [iam where event.action == \"scheduled-task-deleted\" and not user.name : \"*$\"]\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" ], @@ -30,6 +30,11 @@ "name": "host.id", "type": "keyword" }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, { "ecs": false, "name": "winlog.event_data.TaskName", @@ -87,7 +92,7 @@ } ], "type": "eql", - "version": 1 + "version": 2 }, "id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd.json index 397bafd25cf..1547a151a72 100644 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd.json +++ b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd.json @@ -11,7 +11,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -48,7 +49,8 @@ "Host", "Windows", "Threat Detection", - "Discovery" + "Discovery", + "Elastic Endgame" ], "threat": [ { @@ -69,7 +71,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "84da2554-e12a-11ec-b896-f661ea17fbcd", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8.json index 43d36001dde..719fde75b3b 100644 --- a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8.json +++ b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8.json @@ -14,9 +14,10 @@ "license": "Elastic License v2", "name": "Potential Remote Credential Access via Registry", "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material,\nsuch as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain\ncached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to\ndecrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped\ncredentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious\nmust be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", - "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : \"S-1-5-21-*\" and file.size \u003e= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n", + "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size \u003e= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n", "references": [ - "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py" + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", + "https://www.elastic.co/security-labs/detect-credential-access" ], "required_fields": [ { @@ -91,7 +92,7 @@ "Threat Detection", "Lateral Movement", "Credential Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -133,7 +134,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "850d901a-2a3c-46c6-8b22-55398a01aad8", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3.json index 1939b4b2ae8..36d752d90b0 100644 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3.json +++ b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3.json @@ -8,13 +8,14 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PowerShell Engine ImageLoad", "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called\n\"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass\napplication allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with\nsome products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "query": "any where (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") or\n file.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\")) and\n\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n not process.name :\n (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", + "query": "any where (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") or\n file.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\")) and\n\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n not process.name :\n (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", "required_fields": [ { "ecs": true, @@ -57,7 +58,8 @@ "Windows", "Threat Detection", "Execution", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -85,7 +87,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "852c1f19-68e8-43a6-9dce-340771fe1be3", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655.json index 64db0a9fe68..67381c66b15 100644 --- a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655.json +++ b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655.json @@ -54,7 +54,8 @@ "macOS", "Linux", "Threat Detection", - "Discovery" + "Discovery", + "Investigation Guide" ], "threat": [ { @@ -82,7 +83,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "870aecc0-cea4-4110-af3f-e02e9b373655", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d.json index 7edc45638bd..615467efe6c 100644 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d.json +++ b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d.json @@ -8,7 +8,8 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -52,7 +53,8 @@ "Windows", "Threat Detection", "Discovery", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -85,7 +87,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "871ea072-1b71-4def-b016-6278b505138d", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d.json index 36601a4caaf..7296a6f3ac7 100644 --- a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d.json +++ b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d.json @@ -8,13 +8,14 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMI Image Load from MS Office", "note": "", - "query": "any where\n (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\")\n", + "query": "any where\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\")\n", "references": [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16" ], @@ -54,7 +55,8 @@ "Host", "Windows", "Threat Detection", - "Execution" + "Execution", + "Elastic Endgame" ], "threat": [ { @@ -75,7 +77,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782.json index 373fe3d19e3..dcf6cd979d4 100644 --- a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782.json +++ b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Kerberos Traffic from Unusual Process", - "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for\nclient/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of\ntraffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of\nKerberos tickets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a\nnon-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for\nclient/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of\ntraffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of\nKerberos tickets.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a\nnon-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "network where event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port \u003e= 49152 and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\") and\n destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert false positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n", "required_fields": [ { @@ -65,7 +65,7 @@ "Windows", "Threat Detection", "Credential Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -86,7 +86,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "897dc6b5-b39f-432a-8d75-d3730d50c782", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json index f4e3eba33b3..a93269e3f90 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json +++ b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json @@ -19,7 +19,8 @@ "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -78,7 +79,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150.json index b4976963e98..18b72d998d8 100644 --- a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150.json +++ b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150.json @@ -17,7 +17,9 @@ "references": [ "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/christophetd/log4shell-vulnerable-app", - "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf" + "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", + "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", + "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046" ], "required_fields": [ { @@ -46,7 +48,8 @@ "Linux", "macOS", "Threat Detection", - "Execution" + "Execution", + "Investigation Guide" ], "threat": [ { @@ -74,7 +77,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "8acb7614-1d92-4359-bfcf-478b6d9de150", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json index 6f471f0ff25..6d3fb7e0111 100644 --- a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json +++ b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -51,7 +52,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -101,7 +103,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09.json index 3a14a3ce0f3..3ae0e788d62 100644 --- a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09.json +++ b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09.json @@ -11,7 +11,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -45,7 +46,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -73,7 +75,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json index b70c4a028f8..2c9a9894cc7 100644 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json +++ b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json @@ -21,7 +21,8 @@ "references": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", - "https://github.com/maxpl0it/CVE-2020-1350-DoS" + "https://github.com/maxpl0it/CVE-2020-1350-DoS", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" ], "required_fields": [ { @@ -50,7 +51,7 @@ "Windows", "Threat Detection", "Initial Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -71,7 +72,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13.json b/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13.json index 7b3f31bd50b..7f3e70f517d 100644 --- a/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13.json +++ b/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13.json @@ -23,7 +23,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -74,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json b/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json index 209d78c40cd..2f00a846223 100644 --- a/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json +++ b/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json @@ -24,7 +24,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -78,7 +78,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9.json b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9.json index 340bd7d01b6..ec6d1aba985 100644 --- a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9.json +++ b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "A scheduled task was created", - "query": "iam where event.action == \"scheduled-task-created\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\n not winlog.event_data.TaskName :\n (\"\\\\OneDrive Standalone Update Task-S-1-5-21*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", + "query": "iam where event.action == \"scheduled-task-created\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\n not winlog.event_data.TaskName :\n (\"\\\\OneDrive Standalone Update Task-S-1-5-21*\",\n \"\\\\OneDrive Standalone Update Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" ], @@ -72,7 +72,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 2 }, "id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872.json b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872.json index 0c686f318fe..b3c7327c6c1 100644 --- a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872.json +++ b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872.json @@ -62,7 +62,7 @@ "Continuous Monitoring", "SecOps", "Log Auditing", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -90,7 +90,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "9395fd2c-9947-4472-86ef-4aceb2f7e872", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4.json index bb09b039390..7b7ddb0c7f5 100644 --- a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4.json +++ b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4.json @@ -11,7 +11,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -53,7 +54,8 @@ "Host", "Windows", "Threat Detection", - "Execution" + "Execution", + "Elastic Endgame" ], "threat": [ { @@ -96,7 +98,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1.json index 013fa3c8567..21f298847dd 100644 --- a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1.json +++ b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1.json @@ -6,7 +6,8 @@ "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", "from": "now-9m", "index": [ - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -27,7 +28,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -53,7 +55,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9.json index bc0c623deda..8e306e06a22 100644 --- a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9.json +++ b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9.json @@ -66,7 +66,7 @@ "Windows", "Threat Detection", "Lateral Movement", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -108,7 +108,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "954ee7c8-5437-49ae-b2d6-2960883898e9", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70.json b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70.json index a7c0100a454..1d8330ddab1 100644 --- a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70.json +++ b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70.json @@ -39,7 +39,7 @@ "Windows", "Threat Detection", "Collection", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -82,7 +82,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "959a7353-1129-4aa7-9084-30746b256a70", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json index 079b662a616..1e823877d2d 100644 --- a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json +++ b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json @@ -18,7 +18,8 @@ "query": "event.dataset:okta.system and event.action:system.api_token.create\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -69,7 +70,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd.json b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd.json new file mode 100644 index 00000000000..07ab3efdb63 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SeDebugPrivilege Enabled by a Suspicious Process", + "note": "", + "query": "any where event.provider: \"Microsoft-Windows-Security-Auditing\" and\n event.action : \"Token Right Adjusted Events\" and\n\n winlog.event_data.EnabledPrivilegeList : \"SeDebugPrivilege\" and\n\n /* exclude processes with System Integrity */\n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n\n not winlog.event_data.ProcessName :\n (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*-*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\auditpol.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSe.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSe.exe\")\n", + "references": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", + "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.EnabledPrivilegeList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ProcessName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97020e61-e591-4191-8a3b-2861a2b887cd", + "setup": "Windows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDetailed Tracking \u003e\nToken Right Adjusted Events (Success)\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "97020e61-e591-4191-8a3b-2861a2b887cd", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e.json b/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e.json index e96128708ce..c892853cfb4 100644 --- a/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e.json +++ b/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e.json @@ -23,7 +23,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -75,7 +75,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7.json index 4f9a05e51ce..eda3217533e 100644 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7.json +++ b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7.json @@ -14,7 +14,8 @@ "note": "", "query": "sequence by user.email with maxspan=10m\n [any where event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.module == \"okta\" and event.action == \"user.authentication.sso\"]\n", "references": [ - "https://www.mandiant.com/resources/russian-targeting-gov-business" + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "required_fields": [ { @@ -63,7 +64,7 @@ } ], "type": "eql", - "version": 100 + "version": 101 }, "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json index a639dc08db0..6bb27c13247 100644 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json +++ b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -41,7 +42,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -67,7 +69,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f.json index 5dbdae853f9..4c91e20098e 100644 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f.json +++ b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", - "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys\nin the registry will cause the program referenced to be executed when a user logs in. These programs will executed\nunder the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring\na range of registry run keys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be\nbased on new software installations, patches, or any kind of network administrator related activity. Before undertaking\nfurther investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys\nin the registry will cause the program referenced to be executed when a user logs in. These programs will executed\nunder the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring\na range of registry run keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be\nbased on new software installations, patches, or any kind of network administrator related activity. Before undertaking\nfurther investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "registry where registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (process.name : \"OneDriveSetup.exe\" and\n registry.value : (\"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\") and\n registry.data.strings : \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\")\n", "required_fields": [ { @@ -53,7 +53,8 @@ "Host", "Windows", "Threat Detection", - "Persistence" + "Persistence", + "Investigation Guide" ], "threat": [ { @@ -83,7 +84,7 @@ "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "97fc44d3-8dae-4019-ae83-298c3015600f", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638.json b/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638.json index 388844be768..b53d8b30835 100644 --- a/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638.json +++ b/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638.json @@ -24,7 +24,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -75,7 +75,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "9890ee61-d061-403d-9bf6-64934c51f638", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56.json b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56.json index 969608ec08a..dfb6fbb3299 100644 --- a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56.json +++ b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56.json @@ -58,7 +58,7 @@ "SecOps", "Asset Visibility", "Exfiltration", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -79,7 +79,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "98fd7407-0bd5-5817-cda0-3fcc33113a56", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2.json index deae95f5488..a08c5f2e44f 100644 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2.json +++ b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2.json @@ -15,7 +15,8 @@ "note": "", "query": "process where event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n\n /* case of lsass crashing */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\")\n", "references": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz" + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://www.elastic.co/security-labs/detect-credential-access" ], "required_fields": [ { @@ -48,7 +49,8 @@ "Host", "Windows", "Threat Detection", - "Credential Access" + "Credential Access", + "Sysmon Only" ], "threat": [ { @@ -76,7 +78,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "9960432d-9b26-409f-972b-839a959e79e2", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f.json index a9ccb1f461c..d1a84a6c1d6 100644 --- a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f.json +++ b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f.json @@ -3,7 +3,7 @@ "author": [ "Elastic" ], - "description": "Identifies the manual reading of the /etc/shadow file via the commandline using standard system utilities. Threat actors will attempt to read this file, after elevating their privileges to root, in order to gain valid credentials they can utilize to move laterally undetected and access additional resources.", + "description": "Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.", "from": "now-9m", "index": [ "auditbeat-*", @@ -11,8 +11,11 @@ ], "language": "eql", "license": "Elastic License v2", - "name": "Shadow File Read via Command Line Utilities", - "query": "process where event.type == \"start\" and event.action == \"exec\" and user.name == \"root\" and\nprocess.args : \"/etc/shadow\" and\nnot process.executable: (\"/usr/bin/find\", \"/usr/bin/cmp\", \"/bin/ls\", \"/usr/sbin/restorecon\", \"/usr/bin/uniq\") and\nnot process.parent.executable: \"/bin/dracut\"\n", + "name": "Potential Shadow File Read via Command Line Utilities", + "query": "process where event.type == \"start\" and event.action == \"exec\" and user.name == \"root\" \n and (process.args : \"/etc/shadow\" or (process.working_directory: \"/etc\" and process.args: \"shadow\"))\n and not process.executable: \n (\"/usr/bin/tar\", \n \"/bin/tar\", \n \"/usr/bin/gzip\", \n \"/bin/gzip\", \n \"/usr/bin/zip\", \n \"/bin/zip\", \n \"/usr/bin/stat\", \n \"/bin/stat\", \n \"/usr/bin/cmp\", \n \"/bin/cmp\", \n \"/usr/bin/sudo\", \n \"/bin/sudo\", \n \"/usr/bin/find\", \n \"/bin/find\", \n \"/usr/bin/ls\", \n \"/bin/ls\", \n \"/usr/bin/uniq\", \n \"/bin/uniq\", \n \"/usr/bin/unzip\", \n \"/bin/unzip\") \n and not process.parent.executable: \"/bin/dracut\"\n", + "references": [ + "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" + ], "required_fields": [ { "ecs": true, @@ -39,6 +42,11 @@ "name": "process.parent.executable", "type": "keyword" }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + }, { "ecs": true, "name": "user.name", @@ -53,7 +61,8 @@ "Host", "Linux", "Threat Detection", - "Privilege Escalation" + "Privilege Escalation", + "Credential Access" ], "threat": [ { @@ -70,11 +79,33 @@ "reference": "https://attack.mitre.org/techniques/T1068/" } ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.008", + "name": "/etc/passwd and /etc/shadow", + "reference": "https://attack.mitre.org/techniques/T1003/008/" + } + ] + } + ] } ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 2 }, "id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698.json index b7897635686..320ec40f7e5 100644 --- a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698.json +++ b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698.json @@ -8,13 +8,14 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Tasks AT Command Enabled", "note": "", - "query": "registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\" and\n registry.data.strings : (\"1\", \"0x00000001\")\n", + "query": "registry where\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", "references": [ "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob" ], @@ -39,7 +40,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -67,7 +69,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json index dafa1eb8294..fb88bb7d5e7 100644 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json +++ b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json @@ -15,6 +15,9 @@ "name": "Persistence via WMI Event Subscription", "note": "", "query": "process where event.type == \"start\" and\n (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], "required_fields": [ { "ecs": true, @@ -74,7 +77,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c.json index 1aa6affebd4..0b06aa66593 100644 --- a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c.json +++ b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c.json @@ -57,7 +57,8 @@ "Windows", "macOS", "Threat Detection", - "Impact" + "Impact", + "Investigation Guide" ], "threat": [ { @@ -87,7 +88,7 @@ "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "9c260313-c811-4ec8-ab89-8f6530e0246c", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093.json index eed5326642f..bff00362eaf 100644 --- a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093.json +++ b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093.json @@ -11,7 +11,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -54,7 +55,8 @@ "Host", "Windows", "Threat Detection", - "Execution" + "Execution", + "Elastic Endgame" ], "threat": [ { @@ -82,7 +84,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json index 5a30f071b3c..fd7a8f2b060 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json @@ -11,7 +11,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -49,7 +50,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -86,7 +88,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json index c995c584d3b..c037c878258 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json @@ -11,7 +11,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -44,7 +45,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -81,7 +83,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json index 43deb122345..118a84d10fd 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json @@ -11,7 +11,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -44,7 +45,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -72,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json index dffe0a8dee0..e6bc1cff0ce 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Trusted Developer Utility", - "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML\nschema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was\nintroduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will\ncompile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass\napplication control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of\ncredential access activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target\nhost after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML\nschema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was\nintroduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will\ncompile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass\napplication control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of\ncredential access activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target\nhost after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", "required_fields": [ { @@ -69,7 +69,7 @@ "Windows", "Threat Detection", "Credential Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -89,7 +89,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json index 0fdc564d509..a216f221ebe 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json @@ -11,7 +11,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -47,7 +48,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -75,7 +77,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json index cd5766e0684..7844e014c15 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json @@ -35,7 +35,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Sysmon Only" ], "threat": [ { @@ -71,7 +72,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 100 + "version": 101 }, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1.json index a498dd7cfc4..12fd4b90112 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1.json +++ b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1.json @@ -60,7 +60,7 @@ "Threat Detection", "Credential Access", "Active Directory", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -88,7 +88,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622.json index e5bfd43296e..340c0811349 100644 --- a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622.json +++ b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622.json @@ -59,7 +59,7 @@ "SecOps", "Data Protection", "Credential Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -80,7 +80,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "a00681e3-9ed6-447c-ab2c-be648821c622", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb.json index a82fcd34e75..7c7606fff3b 100644 --- a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb.json +++ b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "A scheduled task was updated", - "query": "iam where event.action == \"scheduled-task-updated\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n not winlog.event_data.TaskName :\n (\"\\\\User_Feed_Synchronization-*\",\n \"\\\\OneDrive Reporting Task-S-1-5-21*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", + "query": "iam where event.action == \"scheduled-task-updated\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n not winlog.event_data.TaskName :\n (\"\\\\User_Feed_Synchronization-*\",\n \"\\\\OneDrive Reporting Task-S-1-5-21*\",\n \"\\\\OneDrive Reporting Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" ], @@ -72,7 +72,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 2 }, "id": "a02cb68e-7c93-48d1-93b2-2c39023308eb", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5.json b/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5.json index b3122c46f68..512b199cab0 100644 --- a/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5.json +++ b/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5.json @@ -23,7 +23,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -74,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00.json b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00.json index 8e391e41ab2..5b62129d95b 100644 --- a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00.json +++ b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00.json @@ -44,7 +44,8 @@ "Host", "Windows", "Threat Detection", - "Credential Access" + "Credential Access", + "Sysmon Only" ], "threat": [ { @@ -72,7 +73,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a.json b/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a.json index da24939936b..0ffd7110dab 100644 --- a/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a.json +++ b/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a.json @@ -24,7 +24,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -83,7 +83,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json index 035f3c5677f..25b5656adf7 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json +++ b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json @@ -66,7 +66,8 @@ "Linux", "macOS", "Threat Detection", - "Execution" + "Execution", + "Investigation Guide" ], "threat": [ { @@ -87,7 +88,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04.json index e48045a091b..028cd65d593 100644 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04.json +++ b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -45,7 +46,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -66,7 +68,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json index d44cb18d473..f71b662814d 100644 --- a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json +++ b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -39,7 +40,8 @@ "Host", "Windows", "Threat Detection", - "Execution" + "Execution", + "Elastic Endgame" ], "threat": [ { @@ -60,7 +62,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494.json b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494.json index cf0b196ca31..ba9b9bbb9ce 100644 --- a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494.json +++ b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494.json @@ -12,7 +12,10 @@ "license": "Elastic License v2", "name": "Windows Registry File Creation in SMB Share", "note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the\ncase for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain\ncached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to\ndecrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not\nmonitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive\nfile on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of\nactivity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", - "query": "file where event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size \u003e= 30000 and\n process.pid == 4 and user.id : \"s-1-5-21*\"\n", + "query": "file where event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size \u003e= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\")\n", + "references": [ + "https://www.elastic.co/security-labs/detect-credential-access" + ], "required_fields": [ { "ecs": true, @@ -50,7 +53,7 @@ "Threat Detection", "Lateral Movement", "Credential Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -100,7 +103,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json index 3b71fb2b13b..98a4a0367ea 100644 --- a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json +++ b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json @@ -61,7 +61,7 @@ "Continuous Monitoring", "SecOps", "Identity and Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -82,7 +82,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97.json b/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97.json index a98be675d31..caf5c2be06b 100644 --- a/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97.json +++ b/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97.json @@ -60,7 +60,7 @@ "Continuous Monitoring", "SecOps", "Identity and Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -88,7 +88,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f.json index f4161ab1a90..878ad878c20 100644 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f.json +++ b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f.json @@ -15,6 +15,9 @@ "name": "Suspicious MS Office Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer.\nYou can create and edit documents containing text and images, work with data in spreadsheets and databases, and create\npresentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted\nfor initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of\nmalicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include,\nbut are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\n process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\") and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\",\n \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\",\n \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\",\n \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\")\n", + "references": [ + "https://www.elastic.co/blog/vulnerability-summary-follina" + ], "required_fields": [ { "ecs": true, @@ -42,7 +45,7 @@ "Windows", "Threat Detection", "Initial Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -70,7 +73,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "a624863f-a70d-417f-a7d2-7a404638d47f", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa.json index 7d3e686a628..80bd651d429 100644 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa.json +++ b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler SPL File Created", - "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs\nby loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like\nCVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location\n`?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination\nof process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs\nby loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like\nCVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location\n`?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination\nof process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "file where event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\")\n", "references": [ "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" @@ -49,7 +49,8 @@ "Host", "Windows", "Threat Detection", - "Privilege Escalation" + "Privilege Escalation", + "Investigation Guide" ], "threat": [ { @@ -70,7 +71,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json index 830ebefbe7c..23c12f3165a 100644 --- a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json +++ b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -16,7 +17,8 @@ "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached\ncredentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the\ncompromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether\nthe user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", "references": [ - "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8" + "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", + "https://www.elastic.co/security-labs/detect-credential-access" ], "required_fields": [ { @@ -45,7 +47,8 @@ "Windows", "Threat Detection", "Credential Access", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -78,7 +81,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827.json b/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827.json index fed4f98466c..97117fc7c05 100644 --- a/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827.json +++ b/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827.json @@ -23,7 +23,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -89,7 +89,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "aa8007f0-d1df-49ef-8520-407857594827", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30.json index 5e8553842d8..e8c19405e31 100644 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30.json +++ b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30.json @@ -13,7 +13,7 @@ "license": "Elastic License v2", "name": "System Log File Deletion", "note": "", - "query": "file where event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\"\n ) and\n not process.name : (\"gzip\")\n", + "query": "file where event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\",\n \"/var/log/boot.log\",\n \"/var/log/kern.log\"\n ) and\n not process.name : (\"gzip\")\n", "references": [ "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html" ], @@ -57,14 +57,21 @@ { "id": "T1070", "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/" + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.002", + "name": "Clear Linux or Mac System Logs", + "reference": "https://attack.mitre.org/techniques/T1070/002/" + } + ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "aa895aea-b69c-4411-b110-8d7599634b30", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650.json index be967f582fc..535732e5a3c 100644 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650.json +++ b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", - "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service\nprograms running on a remote computer. A remote service management session begins with the client initiating the\nconnection request to the server. If the server grants the request, the connection is established. The client can then\nmake multiple requests to modify, query the configuration, or start and stop services on the server by using the same\nsession until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the\nspawn of a child process.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the\n`source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the\nprogram used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service\nprograms running on a remote computer. A remote service management session begins with the client initiating the\nconnection request to the server. If the server grants the request, the connection is established. The client can then\nmake multiple requests to modify, query the configuration, or start and stop services on the server by using the same\nsession until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the\nspawn of a child process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the\n`source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the\nprogram used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence with maxspan=1s\n [network where process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e= 49152 and destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n\n [process where event.type == \"start\" and process.parent.name : \"services.exe\" and \n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.name : \"msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", "references": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f" @@ -93,7 +93,8 @@ "Host", "Windows", "Threat Detection", - "Lateral Movement" + "Lateral Movement", + "Investigation Guide" ], "threat": [ { @@ -113,7 +114,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e.json index cbeee309eb7..f542caf8265 100644 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e.json +++ b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", - "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These\ntools can include discovery utilities, credential dumpers, malware, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These\ntools can include discovery utilities, credential dumpers, malware, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n [process where event.type == \"start\"] by host.id, process.executable\n", "references": [ "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html" @@ -58,7 +58,8 @@ "Host", "Windows", "Threat Detection", - "Lateral Movement" + "Lateral Movement", + "Investigation Guide" ], "threat": [ { @@ -85,7 +86,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8.json b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8.json index 92aafc9f847..12696204795 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8.json +++ b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8.json @@ -61,21 +61,29 @@ { "id": "T1547", "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.011", - "name": "Plist Modification", - "reference": "https://attack.mitre.org/techniques/T1547/011/" - } - ] + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1647", + "name": "Plist File Modification", + "reference": "https://attack.mitre.org/techniques/T1647/" } ] } ], "timestamp_override": "event.ingested", "type": "query", - "version": 100 + "version": 101 }, "id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff.json index b880a639f2b..9b6275d3180 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff.json +++ b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff.json @@ -11,7 +11,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -54,7 +55,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -75,7 +77,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json index beb8edd3ba8..dccfc85d6da 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json +++ b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json @@ -27,10 +27,10 @@ "Cloud", "AWS", "ML", - "has_guide" + "Investigation Guide" ], "type": "machine_learning", - "version": 101 + "version": 102 }, "id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46.json b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46.json index d79e5741ca9..a2ebc5dc8ce 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46.json +++ b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46.json @@ -16,7 +16,8 @@ "query": "event.category:process and\npowershell.file.script_block_text:(\n (DumpCreds and\n DumpCerts) or\n \"sekurlsa::logonpasswords\" or\n (\"crypto::certificates\" and\n \"CERT_SYSTEM_STORE_LOCAL_MACHINE\")\n)\n", "references": [ "https://attack.mitre.org/software/S0002/", - "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1" + "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", + "https://www.elastic.co/security-labs/detect-credential-access" ], "required_fields": [ { @@ -40,7 +41,7 @@ "Windows", "Threat Detection", "Credential Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -68,7 +69,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122.json b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122.json index f7f68e9f6ea..b927d82d4ea 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122.json +++ b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122.json @@ -8,7 +8,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -52,7 +53,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -73,7 +75,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "ad0d2742-9a49-11ec-8d6b-acde48001122", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a.json index c67b1c067f5..2439eb23db8 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a.json +++ b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Portable Executable Encoded in Powershell Script", - "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk,\nbypassing file-based security protections. These executables are generally base64 encoded.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Retrieve the script and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk,\nbypassing file-based security protections. These executables are generally base64 encoded.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.category:process and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n )\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" @@ -39,7 +39,7 @@ "Windows", "Threat Detection", "Execution", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -67,7 +67,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f.json b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f.json index 05f407fd631..b72dd942ba8 100644 --- a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f.json +++ b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f.json @@ -14,18 +14,21 @@ ], "language": "eql", "license": "Elastic License v2", - "name": "Netcat Network Activity", + "name": "File Transfer or Listener Established via Netcat", "note": "## Triage and analysis\n\n### Investigating Netcat Network Activity\n\nNetcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and\nconnection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse\nshells to gain access to the target system.\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects\nthe system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are\nvulnerable since the connection is outgoing.\n\nA bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for\nan incoming connection from the attacker.\n\nThis rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat\nfollowed by a network connection.\n\n#### Possible investigation steps\n\n- Examine the command line to identify if the command is suspicious.\n- Extract and examine the target domain or IP address.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the\n domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network\nconnections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any\nspawned child processes.\n\n### False positive analysis\n\n- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux\ndistributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may\noriginate from scripts, automation tools, and frameworks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", - "query": "sequence by process.entity_id\n [process where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\") and\n event.type == \"start\"]\n [network where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", + "query": "sequence by process.entity_id\n [process where process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\"\u003e\",\"\u003c\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", "references": [ "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", - "https://en.wikipedia.org/wiki/Netcat" + "https://en.wikipedia.org/wiki/Netcat", + "https://www.hackers-arise.com/hacking-fundamentals", + "https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/", + "https://levelup.gitconnected.com/ethical-hacking-part-15-netcat-nc-and-netcat-f6a8f7df43fd" ], "required_fields": [ { "ecs": true, - "name": "event.type", + "name": "process.args", "type": "keyword" }, { @@ -47,7 +50,8 @@ "Host", "Linux", "Threat Detection", - "Execution" + "Execution", + "Investigation Guide" ], "threat": [ { @@ -61,13 +65,20 @@ { "id": "T1059", "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] } ] } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a.json b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a.json index 2fd7f170acd..c71052610fa 100644 --- a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a.json +++ b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a.json @@ -17,6 +17,10 @@ "license": "Elastic License v2", "name": "Local Scheduled Task Creation", "query": "sequence with maxspan=1m\n [process where event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n process.code_signature.trusted == false)] by process.entity_id\n [process where event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\")\n ] by process.parent.entity_id\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2" + ], "required_fields": [ { "ecs": true, @@ -99,7 +103,7 @@ } ], "type": "eql", - "version": 100 + "version": 101 }, "id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json index 33d6ca95b9c..2f7f90b7f4d 100644 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json +++ b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json @@ -8,12 +8,13 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", - "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various\nsupport activities. It is also frequently used by attackers and scammers to deploy malware interactively and other\nmalicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this\naccess.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct\nremote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various\nsupport activities. It is also frequently used by attackers and scammers to deploy malware interactively and other\nmalicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this\naccess.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct\nremote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "file where event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n", "references": [ "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" @@ -45,7 +46,8 @@ "Windows", "Threat Detection", "Command and Control", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -71,7 +73,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a.json index 3e9c86d4b1a..fa90e4656dd 100644 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a.json +++ b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -41,7 +42,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -62,7 +64,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json index 7fc5c070b00..75eb5062f48 100644 --- a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json +++ b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json @@ -19,7 +19,8 @@ "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -78,7 +79,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b.json index 397ea3faf1c..fab230ba776 100644 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b.json +++ b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b.json @@ -8,13 +8,14 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Console History", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of\nlogging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the\nexecution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be\ntrying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.", - "query": "process where event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", + "query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", "references": [ "https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", @@ -23,7 +24,7 @@ "required_fields": [ { "ecs": true, - "name": "event.action", + "name": "event.type", "type": "keyword" }, { @@ -52,7 +53,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -80,7 +82,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "b5877334-677f-4fb9-86d5-a9721274223b", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json index 61befdae85d..8637507230f 100644 --- a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json +++ b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json @@ -47,7 +47,7 @@ "Windows", "Threat Detection", "Impact", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -68,7 +68,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe.json index 1889bf4db0e..a5bb5a35543 100644 --- a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe.json +++ b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe.json @@ -19,7 +19,8 @@ "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -78,7 +79,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419.json b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419.json index 3e6d5984b8e..39e9546afcd 100644 --- a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419.json +++ b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419.json @@ -19,7 +19,8 @@ "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -70,7 +71,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "b8075894-0b62-46e5-977c-31275da34419", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd.json index 8bd8ea74537..f973f6100b9 100644 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd.json +++ b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -40,7 +41,8 @@ "Host", "Windows", "Threat Detection", - "Credential Access" + "Credential Access", + "Elastic Endgame" ], "threat": [ { @@ -73,7 +75,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c.json b/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c.json new file mode 100644 index 00000000000..fedcba3eda5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c.json @@ -0,0 +1,59 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.", + "false_positives": [ + "False positives can occur because the rules may be mapped to a few MITRE ATT\u0026CK tactics. Use the attached Timeline to determine which detections were triggered on the host." + ], + "from": "now-24h", + "index": [ + ".alerts-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Multiple Alerts in Different ATT\u0026CK Tactics on a Single Host", + "query": "signal.rule.name:* and kibana.alert.rule.threat.tactic.id:*\n", + "required_fields": [ + { + "ecs": false, + "name": "kibana.alert.rule.threat.tactic.id", + "type": "unknown" + }, + { + "ecs": false, + "name": "signal.rule.name", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c", + "severity": "high", + "tags": [ + "Elastic", + "Threat Detection", + "Higher-Order Rules" + ], + "threshold": { + "cardinality": [ + { + "field": "kibana.alert.rule.threat.tactic.id", + "value": 3 + } + ], + "field": [ + "host.id" + ], + "value": 1 + }, + "timeline_id": "4434b91a-94ca-4a89-83cb-a37cdc0532b7", + "timeline_title": "Alerts Involving a Single Host Timeline", + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 1 + }, + "id": "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf.json index 6834feb7dc8..be2ad041963 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf.json +++ b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf.json @@ -45,7 +45,7 @@ "Threat Detection", "Privilege Escalation", "Active Directory", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -73,7 +73,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917.json index 2c92e5ce1ad..110671db438 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917.json +++ b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917.json @@ -8,13 +8,14 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "SolarWinds Process Disabling Services via Registry", "note": "", - "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\" and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\" ,\n \"SolarwindsDiagnostics*.exe\")\n", + "query": "registry where registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\")\n", "references": [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" ], @@ -44,7 +45,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -94,7 +96,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "b9960fef-82c6-4816-befa-44745030e917", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json index 3ee88f85986..67d6b674902 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json +++ b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json @@ -71,7 +71,7 @@ "Continuous Monitoring", "SecOps", "Identity and Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -92,7 +92,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json b/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json index 01e1856d03d..01f00b30e69 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json +++ b/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json @@ -23,7 +23,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -69,7 +69,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9.json b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9.json new file mode 100644 index 00000000000..ee1c8b64794 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.", + "false_positives": [ + "SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination whitelisted ports for such legitimate ssh activities." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Non-Standard Port SSH connection", + "query": "sequence by process.entity_id with maxspan=1m\n[process where event.action == \"exec\" and process.name:\"ssh\"]\n[network where process.name:\"ssh\"\n and event.action in (\"connection_attempted\", \"connection_accepted\")\n and destination.port != 22\n and destination.ip != \"127.0.0.1\"\n and network.transport: \"tcp\"\n]\n", + "references": [ + "https://attack.mitre.org/techniques/T1571/" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Command and Control", + "macOS" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1571", + "name": "Non-Standard Port", + "reference": "https://attack.mitre.org/techniques/T1571/" + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61.json b/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61.json index a037b13a024..9ff76031f7b 100644 --- a/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61.json +++ b/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61.json @@ -23,7 +23,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -74,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "bca7d28e-4a48-47b1-adb7-5074310e9a61", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889.json index 431cb95e059..fdb2e11fe36 100644 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889.json +++ b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889.json @@ -40,7 +40,7 @@ "Windows", "Threat Detection", "Collection", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -90,7 +90,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "bd2c86a0-8b61-4457-ab38-96943984e889", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81.json index e43af2d5688..a771ee25a59 100644 --- a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81.json +++ b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -17,7 +18,8 @@ "query": "process where event.type == \"start\" and\n (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", "references": [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/" + "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", + "https://www.elastic.co/security-labs/detect-credential-access" ], "required_fields": [ { @@ -50,7 +52,8 @@ "Host", "Windows", "Threat Detection", - "Credential Access" + "Credential Access", + "Elastic Endgame" ], "threat": [ { @@ -83,7 +86,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json index 507ac40172e..ee97c581626 100644 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json +++ b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json @@ -70,7 +70,8 @@ "Windows", "Threat Detection", "Persistence", - "Privilege Escalation" + "Privilege Escalation", + "Investigation Guide" ], "threat": [ { @@ -120,7 +121,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec.json index c4d478b6c30..d467cdfc477 100644 --- a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec.json +++ b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -51,7 +52,8 @@ "Host", "Windows", "Threat Detection", - "Credential Access" + "Credential Access", + "Elastic Endgame" ], "threat": [ { @@ -72,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86.json b/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86.json index 5f37abbbd45..0a5787b0513 100644 --- a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86.json +++ b/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86.json @@ -16,7 +16,9 @@ "references": [ "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/christophetd/log4shell-vulnerable-app", - "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf" + "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", + "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", + "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046" ], "required_fields": [ { @@ -101,7 +103,7 @@ } ], "type": "eql", - "version": 100 + "version": 101 }, "id": "c3f5e1d8-910e-43b4-8d44-d748e498ca86", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json index 58fe731f456..3ff62015b7a 100644 --- a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json +++ b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json @@ -51,6 +51,7 @@ "Host", "Windows", "Threat Detection", + "Initial Access", "Lateral Movement" ], "threat": [ @@ -75,11 +76,33 @@ ] } ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] } ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6.json b/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6.json index 3a01c07f22e..b2b2bb448ce 100644 --- a/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6.json +++ b/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6.json @@ -23,7 +23,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -82,7 +82,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef.json b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef.json index 27467431fd9..4414a9d1762 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef.json +++ b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef.json @@ -68,7 +68,8 @@ "Host", "Windows", "Threat Detection", - "Credential Access" + "Credential Access", + "Sysmon Only" ], "threat": [ { @@ -95,7 +96,7 @@ } ], "type": "eql", - "version": 100 + "version": 101 }, "id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json index afb6e6ac012..ced9950cecd 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json +++ b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json @@ -11,7 +11,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -48,7 +49,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -85,7 +87,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json index 60914d1d8c8..1fd61b3928a 100644 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json +++ b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json @@ -8,12 +8,13 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows\nDefender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files,\nincluding malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows\nDefender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files,\nincluding malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": [ "https://twitter.com/mohammadaskar2/status/1301263551638761477", @@ -51,7 +52,8 @@ "Windows", "Threat Detection", "Command and Control", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -72,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad.json index 5812b1c5fe3..f6834af54cd 100644 --- a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad.json +++ b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad.json @@ -19,7 +19,8 @@ "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -78,7 +79,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "c749e367-a069-4a73-b1f2-43a3798153ad", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09.json b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09.json index 45509ada71a..618fe110bef 100644 --- a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09.json +++ b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09.json @@ -19,7 +19,8 @@ "references": [ "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -65,7 +66,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531.json b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531.json index 9057bf91299..ef2980e1978 100644 --- a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531.json +++ b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531.json @@ -5,7 +5,7 @@ ], "description": "This rule detects when a user creates a pod/container running in privileged mode. A highly privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the underlying host. Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.", "false_positives": [ - "By default a container is not allowed to access any devices on the host, but a \"privileged\" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host. An administrator may want to run a privileged container to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices from within the cluster." + "By default a container is not allowed to access any devices on the host, but a \"privileged\" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host. An administrator may want to run a privileged container to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices from within the cluster. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" ], "index": [ "logs-kubernetes.*" @@ -14,17 +14,38 @@ "license": "Elastic License v2", "name": "Kubernetes Privileged Pod Created", "note": "", - "query": "kubernetes.audit.objectRef.resource:pods and kubernetes.audit.verb:create and\n kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true\n", + "query": "event.dataset : \"kubernetes.audit_logs\" \n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:pods \n and kubernetes.audit.verb:create \n and kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": [ "https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF", "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, { "ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown" }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, { "ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.securityContext.privileged", @@ -62,11 +83,26 @@ "reference": "https://attack.mitre.org/techniques/T1611/" } ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] } ], "timestamp_override": "event.ingested", "type": "query", - "version": 100 + "version": 200 }, "id": "c7908cac-337a-4f38-b50d-5eeb78bdb531", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json index 6d209ec8c34..d5e7b308ced 100644 --- a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json +++ b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json @@ -17,7 +17,8 @@ "query": "file where process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\"\n", "references": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", - "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/" + "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" ], "required_fields": [ { @@ -66,7 +67,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json index 7195afd04ab..42017628275 100644 --- a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json +++ b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Direct Outbound SMB Connection", - "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically\nimplemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these\nnetwork connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate\nport scanners, exploits, and tools used to move laterally on the environment.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically\nimplemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these\nnetwork connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate\nport scanners, exploits, and tools used to move laterally on the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where event.type == \"start\" and host.os.name == \"Windows\" and process.pid != 4 and\n not (process.executable : \"D:\\\\EnterpriseCare\\\\tools\\\\jre.1\\\\bin\\\\java.exe\" and process.args : \"com.emeraldcube.prism.launcher.Invoker\") and\n not (process.executable : \"C:\\\\Docusnap 11\\\\Tools\\\\nmap\\\\nmap.exe\" and process.args : \"smb-os-discovery.nse\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent *\\\\Ranger\\\\SentinelRanger.exe\",\n \"?:\\\\Program Files\\\\Ivanti\\\\Security Controls\\\\ST.EngineHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Fortinet\\\\FSAE\\\\collectoragent.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikService-release-*\\\\AuvikService.exe\",\n \"?:\\\\Program Files\\\\uptime software\\\\uptime\\\\UptimeDataCollector.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikAgentService.exe\",\n \"?:\\\\Program Files\\\\Rumble\\\\rumble-agent-*.exe\")]\n [network where destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "required_fields": [ { @@ -66,7 +66,7 @@ "Windows", "Threat Detection", "Lateral Movement", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -93,7 +93,7 @@ } ], "type": "eql", - "version": 101 + "version": 102 }, "id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff.json index 7e0502f08ce..2c9049ed437 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff.json +++ b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", - "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for\npersistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this\nbehavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for\nan attacker.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate the activity is not related to planned patches, updates, network administrator activity or legitimate software\ninstallations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based\non new software installations, patches, or other network administrator activity. Before undertaking further investigation,\nit should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for\npersistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this\nbehavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for\nan attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate the activity is not related to planned patches, updates, network administrator activity or legitimate software\ninstallations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based\non new software installations, patches, or other network administrator activity. Before undertaking further investigation,\nit should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "registry where\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "required_fields": [ { @@ -34,7 +34,7 @@ "Windows", "Threat Detection", "Persistence", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -62,7 +62,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "c8b150f0-0164-475b-a75e-74b47800a9ff", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87.json index b44d98c9963..ef3c75a033b 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87.json +++ b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87.json @@ -11,7 +11,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -53,7 +54,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -81,7 +83,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce.json index 55a32422ae0..2410df7b08e 100644 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce.json +++ b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce.json @@ -15,11 +15,12 @@ "license": "Elastic License v2", "name": "Abnormal Process ID or Lock File Created", "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that\na program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID\nfiles contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade\nmalware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in\n malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional\n pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network\nconnections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any\nspawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is\nan executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination\nof file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", - "query": "/* add file size filters when data is available */\nfile where event.type == \"creation\" and user.id == \"0\" and\n file.path regex~ \"\"\"/var/run/\\w+\\.(pid|lock|reboot)\"\"\" and file.extension in (\"pid\",\"lock\",\"reboot\") and\n\n /* handle common legitimate files */\n\n not file.name in (\n \"auditd.pid\",\n \"python*\",\n \"apport.pid\",\n \"apport.lock\",\n \"kworker*\",\n \"gdm3.pid\",\n \"sshd.pid\",\n \"acpid.pid\",\n \"unattended-upgrades.lock\",\n \"unattended-upgrades.pid\",\n \"cmd.pid\",\n \"cron*.pid\",\n \"yum.pid\",\n \"netconfig.pid\",\n \"docker.pid\",\n \"atd.pid\",\n \"lfd.pid\",\n \"atop.pid\",\n \"nginx.pid\",\n \"dhclient.pid\",\n \"smtpd.pid\",\n \"stunnel.pid\"\n )\n", + "query": "/* add file size filters when data is available */\nfile where event.type == \"creation\" and user.id == \"0\" and\n file.path regex~ \"\"\"/var/run/\\w+\\.(pid|lock|reboot)\"\"\" and file.extension in (\"pid\",\"lock\",\"reboot\") and\n\n /* handle common legitimate files */\n\n not file.name in (\n \"auditd.pid\",\n \"python*\",\n \"apport.pid\",\n \"apport.lock\",\n \"kworker*\",\n \"gdm3.pid\",\n \"sshd.pid\",\n \"acpid.pid\",\n \"unattended-upgrades.lock\",\n \"unattended-upgrades.pid\",\n \"cmd.pid\",\n \"cron*.pid\",\n \"yum.pid\",\n \"netconfig.pid\",\n \"docker.pid\",\n \"atd.pid\",\n \"lfd.pid\",\n \"atop.pid\",\n \"nginx.pid\",\n \"dhclient.pid\",\n \"smtpd.pid\",\n \"stunnel.pid\",\n \"1_waagent.pid\"\n )\n", "references": [ "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", - "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf" + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" ], "required_fields": [ { @@ -57,7 +58,8 @@ "Linux", "Threat Detection", "Execution", - "BPFDoor" + "BPFDoor", + "Investigation Guide" ], "threat": [ { @@ -78,7 +80,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "cac91072-d165-11ec-a764-f661ea17fbce", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json index 54589e7b723..e02f29ce40b 100644 --- a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json +++ b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json @@ -66,7 +66,7 @@ "SecOps", "Configuration Audit", "Impact", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -87,7 +87,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3.json b/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3.json index e9b4b2231ec..521ec669b4f 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3.json +++ b/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3.json @@ -23,7 +23,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -74,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "cc89312d-6f47-48e4-a87c-4977bd4633c3", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0.json index 0bce5b1846f..b7e454fc707 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0.json +++ b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0.json @@ -19,7 +19,8 @@ "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -78,7 +79,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "cc92c835-da92-45c9-9f29-b4992ad621a0", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c.json b/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c.json index 7d1d3262ad3..939f8dc1255 100644 --- a/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c.json +++ b/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Process Herpaderping Attempt", - "query": "sequence with maxspan=5s\n [process where event.type == \"start\" and not process.parent.executable : \"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\"] by host.id, process.executable, process.parent.entity_id\n [file where event.type == \"change\" and event.action == \"overwrite\" and file.extension == \"exe\"] by host.id, file.path, process.entity_id\n", + "query": "sequence with maxspan=5s\n [process where event.type == \"start\" and not process.parent.executable :\n (\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*.exe\"\n )\n ] by host.id, process.executable, process.parent.entity_id\n [file where event.type == \"change\" and event.action == \"overwrite\" and file.extension == \"exe\"] by host.id, file.path, process.entity_id\n", "references": [ "https://github.com/jxy-s/herpaderping" ], @@ -92,7 +92,7 @@ } ], "type": "eql", - "version": 100 + "version": 101 }, "id": "ccc55af4-9882-4c67-87b4-449a7ae8079c", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe.json index 3300f2d155a..269a8e93381 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe.json +++ b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe.json @@ -19,7 +19,8 @@ "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -71,7 +72,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "cd16fb10-0261-46e8-9932-a0336278cdbe", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8.json index f4572ae6fcd..61324039da8 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8.json +++ b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8.json @@ -18,7 +18,8 @@ "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -69,7 +70,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911.json index e7d15ab94e4..8b3235cb8f4 100644 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911.json +++ b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911.json @@ -16,7 +16,8 @@ "note": "", "query": "event.dataset:okta.system and event.action:user.session.impersonation.initiate\n", "references": [ - "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/" + "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -62,7 +63,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c.json b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c.json index 54d22f26fe1..9705ac0ecc8 100644 --- a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c.json +++ b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c.json @@ -21,7 +21,8 @@ "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/\n", "references": [ "https://blog.morphisec.com/fin7-attacks-restaurant-industry", - "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack" ], "risk_score": 73, "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c", @@ -64,7 +65,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 100 + "version": 101 }, "id": "cf53f532-9cc9-445a-9ae7-fced307ec53c", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6.json index bef5b975be3..03cba1e89bd 100644 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6.json +++ b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6.json @@ -8,12 +8,13 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", - "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to\nhide malware and make the execution less suspicious.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Retrieve the script and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination\nof parent process executable and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\nThis is related to the `Process Execution from an Unusual Directory rule`.", + "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to\nhide malware and make the execution less suspicious.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination\nof parent process executable and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\nThis is related to the `Process Execution from an Unusual Directory rule`.", "query": "process where event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "required_fields": [ { @@ -47,7 +48,9 @@ "Windows", "Threat Detection", "Execution", - "Defense Evasion" + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -90,7 +93,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0.json index ce2b37add7e..d8f9f914bfb 100644 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0.json +++ b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0.json @@ -12,7 +12,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -57,7 +58,8 @@ "Windows", "Threat Detection", "Credential Access", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -78,7 +80,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404.json index ac37c48a2e8..acb429ed3f9 100644 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404.json +++ b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404.json @@ -46,7 +46,8 @@ "Host", "Windows", "Threat Detection", - "Privilege Escalation" + "Privilege Escalation", + "Investigation Guide" ], "threat": [ { @@ -96,7 +97,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "d31f183a-e5b1-451b-8534-ba62bca0b404", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61.json index f88882bbad1..fdedcb2a747 100644 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61.json +++ b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -47,7 +48,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -75,7 +77,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1.json b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1.json new file mode 100644 index 00000000000..f591ec85927 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Windows Service Installed", + "query": "sequence by winlog.logon.id, host.id with maxspan=1m\n[authentication where event.action == \"logged-in\" and winlog.logon.type : \"Network\" and\nevent.outcome==\"success\" and source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n[iam where event.action == \"service-installed\" and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and\n not winlog.event_data.ServiceFileName :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")]\n", + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "winlog.event_data.ServiceFileName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.id", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json index f08d8474656..8e4aedc3a24 100644 --- a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json +++ b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json @@ -18,7 +18,8 @@ "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -70,7 +71,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json index 233e132766d..0fdf8551bb3 100644 --- a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json +++ b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json @@ -19,7 +19,8 @@ "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -78,7 +79,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json index 5bc1bab28cf..6843792d8cd 100644 --- a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json +++ b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json @@ -63,7 +63,7 @@ "SecOps", "Log Auditing", "Impact", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -106,7 +106,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7.json b/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7.json index 1b573108e51..e2cacc13051 100644 --- a/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7.json +++ b/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7.json @@ -23,7 +23,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -74,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba.json new file mode 100644 index 00000000000..400814c5429 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of discovery commands to enumerate system info or files and folders using the Windows Command Shell.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Information Discovery via Windows Command Shell", + "note": "", + "query": "process where event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + }, + { + "id": "T1083", + "name": "File and Directory Discovery", + "reference": "https://attack.mitre.org/techniques/T1083/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json index 351fc16f2b3..3b1b0bcf999 100644 --- a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json +++ b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json @@ -8,17 +8,19 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Modification of WDigest Security Provider", "note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send\ncleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications\nbased on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default,\nwhich is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the\n`HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is\ncommonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should\ntreat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target\nhost after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and\nmonitored by the security team, as these modifications expose the entire domain to credential compromises and\nconsequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", - "query": "registry where event.type : (\"creation\", \"change\") and\n registry.path :\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n", + "query": "registry where event.type : (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n ) and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n", "references": [ "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", - "https://frsecure.com/compromised-credentials-response-playbook" + "https://frsecure.com/compromised-credentials-response-playbook", + "https://www.elastic.co/security-labs/detect-credential-access" ], "required_fields": [ { @@ -57,7 +59,8 @@ "Windows", "Threat Detection", "Credential Access", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -85,7 +88,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87.json index c9cbcf1be02..da0fc17c68c 100644 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87.json +++ b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87.json @@ -11,7 +11,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -48,7 +49,8 @@ "Host", "Windows", "Threat Detection", - "Execution" + "Execution", + "Elastic Endgame" ], "threat": [ { @@ -91,7 +93,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json index 671fa128f36..089b0880d29 100644 --- a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json +++ b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json @@ -63,7 +63,7 @@ "Continuous Monitoring", "SecOps", "Monitoring", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -84,7 +84,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4.json index b8a6c827352..fb4ca9d04d1 100644 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4.json +++ b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4.json @@ -48,7 +48,7 @@ "Windows", "Threat Detection", "Impact", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -69,7 +69,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "d99a037b-c8e2-47a5-97b9-170d076827c4", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad.json new file mode 100644 index 00000000000..00138247d73 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious service was installed in the system", + "note": "## Triage and analysis\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to\nservice activities (for example, 4697 and/or 7045).\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true\npositive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "any where\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : (\"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \"*echo*\", \"*RemComSvc*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \"*echo*\", \"*RemComSvc*\"))\n", + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ImagePath", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ServiceFileName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "da87eee1-129c-4661-a7aa-57d0b9645fad", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf.json b/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf.json index 5f8ec9f4dbd..9832813b4e5 100644 --- a/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf.json +++ b/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf.json @@ -48,7 +48,7 @@ "Continuous Monitoring", "SecOps", "Identity and Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -69,7 +69,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "dafa3235-76dc-40e2-9f71-1773b96d24cf", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57.json index 0a089164f49..71edb0d095e 100644 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57.json +++ b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57.json @@ -47,7 +47,7 @@ "Windows", "Threat Detection", "Impact", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -68,7 +68,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1.json b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1.json index c88b244d77f..228f55abff2 100644 --- a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1.json +++ b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1.json @@ -27,10 +27,10 @@ "Cloud", "AWS", "ML", - "has_guide" + "Investigation Guide" ], "type": "machine_learning", - "version": 101 + "version": 102 }, "id": "dca28dee-c999-400f-b640-50a081cc0fd1", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/dd7f1524-643e-11ed-9e35-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/dd7f1524-643e-11ed-9e35-f661ea17fbcd.json new file mode 100644 index 00000000000..202aab12fc2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dd7f1524-643e-11ed-9e35-f661ea17fbcd.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a reverse shell via the abuse of named pipes on Linux with the help of OpenSSL or Netcat. First in, first out (FIFO) files are special files for reading and writing to by Linux processes. For this to work, a named pipe is created and passed to a Linux shell where the use of a network connection tool such as Netcat or OpenSSL has been established. The stdout and stderr are captured in the named pipe from the network connection and passed back to the shell for execution.", + "false_positives": [ + "Netcat and OpenSSL are common tools used for establishing network connections and creating encryption keys. While they are popular, capturing the stdout and stderr in a named pipe pointed to a shell is anomalous." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Reverse Shell Created via Named Pipe", + "query": "sequence by host.id with maxspan = 5s\n [process where event.type == \"start\" and process.executable : (\"/usr/bin/mkfifo\",\"/usr/bin/mknod\") and process.args:(\"/tmp/*\",\"$*\")]\n [process where process.executable : (\"/bin/sh\",\"/bin/bash\") and process.args:(\"-i\") or\n (process.executable: (\"/usr/bin/openssl\") and process.args: (\"-connect\"))]\n [process where (process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") or\n (process.name: \"openssl\" and process.executable: \"/usr/bin/openssl\"))]\n", + "references": [ + "https://int0x33.medium.com/day-43-reverse-shell-with-openssl-1ee2574aa998", + "https://blog.gregscharf.com/2021/03/22/tar-in-cronjob-to-privilege-escalation/", + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#openssl" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "dd7f1524-643e-11ed-9e35-f661ea17fbcd", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Execution", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "dd7f1524-643e-11ed-9e35-f661ea17fbcd", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77.json index d5e03483211..a38c8c31832 100644 --- a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77.json +++ b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77.json @@ -11,12 +11,17 @@ "language": "eql", "license": "Elastic License v2", "name": "NullSessionPipe Registry Modification", - "query": "registry where\nregistry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\" and\nregistry.data.strings != null\n", + "query": "registry where event.type in (\"creation\", \"change\") and\nregistry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\" and\nlength(registry.data.strings) \u003e 0\n", "references": [ "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares" ], "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, { "ecs": true, "name": "registry.data.strings", @@ -64,7 +69,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json index 1623fd6456b..cee2a7275fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json +++ b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -41,7 +42,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -62,7 +64,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba.json b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba.json index 5435cedd710..1882463e0f0 100644 --- a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba.json +++ b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba.json @@ -5,7 +5,7 @@ ], "description": "This rule detects an attempt to create or modify a pod attached to the host PID namespace. HostPID allows a pod to access all the processes running on the host and could allow an attacker to take malicious action. When paired with ptrace this can be used to escalate privileges outside of the container. When paired with a privileged container, the pod can see all of the processes on the host. An attacker can enter the init system (PID 1) on the host. From there, they could execute a shell and continue to escalate privileges to root.", "false_positives": [ - "An administrator or developer may want to use a pod that runs as root and shares the host\ufffds IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective." + "An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" ], "index": [ "logs-kubernetes.*" @@ -14,18 +14,39 @@ "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostPID", "note": "", - "query": "kubernetes.audit.objectRef.resource:\"pods\" and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\") and kubernetes.audit.requestObject.spec.hostPID:true\n", + "query": "event.dataset : \"kubernetes.audit_logs\" \n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\" \n and kubernetes.audit.objectRef.resource:\"pods\" \n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\") \n and kubernetes.audit.requestObject.spec.hostPID:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": [ "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, { "ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown" }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, { "ecs": false, "name": "kubernetes.audit.requestObject.spec.hostPID", @@ -63,11 +84,26 @@ "reference": "https://attack.mitre.org/techniques/T1611/" } ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] } ], "timestamp_override": "event.ingested", "type": "query", - "version": 100 + "version": 200 }, "id": "df7fda76-c92b-4943-bc68-04460a5ea5ba", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49.json index 684c0fe008b..bd386f8e7e3 100644 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49.json +++ b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49.json @@ -18,7 +18,8 @@ "query": "event.dataset:okta.system and event.action:user.account.lock\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -74,7 +75,7 @@ "value": 3 }, "type": "threshold", - "version": 101 + "version": 102 }, "id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad.json index 984ca0406c4..9a99af2339c 100644 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad.json +++ b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script,\nwhich can circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Retrieve the script and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did\nnot identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script,\nwhich can circumvent file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did\nnot identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.category:process and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n )\n", "references": [ "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load" @@ -39,7 +39,7 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -94,7 +94,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "e26f042e-c590-4e82-8e05-41e81bd822ad", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef.json b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef.json index 8d32e03a992..b072fd28fc0 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef.json +++ b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef.json @@ -66,7 +66,7 @@ "Continuous Monitoring", "SecOps", "Identity and Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -102,7 +102,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "e2a67480-3b79-403d-96e3-fdd2992c50ef", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json index d8abe2c3d41..a935d0a4801 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json +++ b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -41,7 +42,8 @@ "Host", "Windows", "Threat Detection", - "Execution" + "Execution", + "Elastic Endgame" ], "threat": [ { @@ -69,7 +71,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd.json b/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd.json index 3987dd57567..d0850e4f7b1 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd.json +++ b/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd.json @@ -23,7 +23,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -74,7 +74,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f.json index 1d24343ead4..2ffc602b276 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f.json +++ b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f.json @@ -11,7 +11,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -44,7 +45,8 @@ "Host", "Windows", "Threat Detection", - "Execution" + "Execution", + "Elastic Endgame" ], "threat": [ { @@ -94,7 +96,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json index bbb6ebf5694..a045b699c19 100644 --- a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json +++ b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json @@ -19,7 +19,8 @@ "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -78,7 +79,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1.json index ea8dd51648a..adb8ffc07ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1.json +++ b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1.json @@ -41,7 +41,7 @@ "Windows", "Threat Detection", "Credential Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -69,7 +69,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "e514d8cd-ed15-4011-84e2-d15147e059f1", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68.json b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68.json index 56d43d069a1..888b15451fd 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68.json +++ b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68.json @@ -15,7 +15,8 @@ "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -71,7 +72,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255.json b/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255.json index f7c34bec096..e1d88d28d0f 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255.json +++ b/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255.json @@ -21,7 +21,8 @@ "https://www.cobaltstrike.com/help-setup-collaboration", "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html", "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html", - "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html" + "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html", + "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack" ], "required_fields": [ { @@ -82,7 +83,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 100 + "version": 101 }, "id": "e7075e8d-a966-458e-a183-85cd331af255", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457.json index a41bd94510f..b62ccde21be 100644 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457.json +++ b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457.json @@ -21,7 +21,8 @@ "query": "event.dataset:okta.system and\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n user.account.unlock_token)\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -107,7 +108,7 @@ "value": 5 }, "type": "threshold", - "version": 101 + "version": 102 }, "id": "e90ee3af-45fc-432e-a850-4a58cf14a457", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a.json index 693fc3bd469..1a8bbab7a1c 100644 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a.json +++ b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a.json @@ -8,12 +8,13 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", - "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these\ncharacteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation\nof a vulnerability or a malicious process masquerading as a system-critical process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these\ncharacteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation\nof a vulnerability or a malicious process masquerading as a system-critical process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "file where event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "required_fields": [ { @@ -42,7 +43,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -63,7 +65,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636.json b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636.json index a91a3a5aecb..c8ed605be32 100644 --- a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636.json +++ b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636.json @@ -63,7 +63,7 @@ "Continuous Monitoring", "SecOps", "Identity and Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -87,7 +87,7 @@ "value": 25 }, "type": "threshold", - "version": 102 + "version": 103 }, "id": "ea248a02-bc47-4043-8e94-2885b19b2636", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39.json index 8e66f6fd910..5f2a1ef9445 100644 --- a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39.json +++ b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39.json @@ -40,7 +40,7 @@ "Windows", "Threat Detection", "Credential Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -95,7 +95,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json index e259e474df1..eb41bcea5e5 100644 --- a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json +++ b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json @@ -8,13 +8,17 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Mimikatz Memssp Log File Detected", "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached\ncredentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained\nan initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects\nsuch as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp\nmodule, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer\naccount password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is\n being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "file where file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", + "references": [ + "https://www.elastic.co/security-labs/detect-credential-access" + ], "required_fields": [ { "ecs": true, @@ -37,7 +41,8 @@ "Windows", "Threat Detection", "Credential Access", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -58,7 +63,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json index 7acf4d0a774..5799f7ec588 100644 --- a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json +++ b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -52,7 +53,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -80,7 +82,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f.json index 4b01876e2da..15992a33d49 100644 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f.json +++ b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -41,7 +42,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -69,7 +71,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a.json index bed223c93b8..79d513f7cf2 100644 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a.json +++ b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a.json @@ -8,7 +8,8 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -55,7 +56,8 @@ "Windows", "Threat Detection", "Discovery", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -105,7 +107,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "eda499b8-a073-4e35-9733-22ec71f57f3a", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json index 9a11d2e449d..a42ef463c06 100644 --- a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json +++ b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json @@ -19,7 +19,8 @@ "references": [ "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -71,7 +72,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3.json index ee723142922..499c086fe16 100644 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3.json +++ b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3.json @@ -8,7 +8,8 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -49,7 +50,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -72,7 +74,7 @@ "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2.json index f28333152dd..a0a8532c8de 100644 --- a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2.json +++ b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2.json @@ -12,7 +12,8 @@ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", - "logs-system.*" + "logs-system.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -66,7 +67,8 @@ "Windows", "Threat Detection", "Discovery", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -87,7 +89,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71.json b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71.json index d8b8bfda536..403c534eefb 100644 --- a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71.json +++ b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71.json @@ -19,7 +19,8 @@ "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -69,7 +70,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7.json b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7.json index e974b6cf309..2213ada89a8 100644 --- a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7.json +++ b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7.json @@ -55,14 +55,7 @@ { "id": "T1547", "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.011", - "name": "Plist Modification", - "reference": "https://attack.mitre.org/techniques/T1547/011/" - } - ] + "reference": "https://attack.mitre.org/techniques/T1547/" } ] }, @@ -87,11 +80,26 @@ ] } ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1647", + "name": "Plist File Modification", + "reference": "https://attack.mitre.org/techniques/T1647/" + } + ] } ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca.json index 0c6834fd9d3..da70db65646 100644 --- a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca.json +++ b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca.json @@ -6,12 +6,13 @@ "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", "from": "now-9m", "index": [ - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "SIP Provider Modification", - "query": "registry where event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\"\n", + "query": "registry where event.type:\"change\" and\n registry.path: (\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\"\n", "references": [ "https://github.com/mattifestation/PoCSubjectInterfacePackage" ], @@ -40,7 +41,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -68,7 +70,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f.json index 158bbd21aab..a57b6565d2e 100644 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f.json +++ b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -45,7 +46,8 @@ "Host", "Windows", "Threat Detection", - "Credential Access" + "Credential Access", + "Elastic Endgame" ], "threat": [ { @@ -75,7 +77,7 @@ "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d.json index 2002cc1c39c..c9e5a672ca9 100644 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d.json +++ b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d.json @@ -49,7 +49,7 @@ "Threat Detection", "Credential Access", "Active Directory", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -73,7 +73,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "f494c678-3c33-43aa-b169-bb3d5198c41d", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json index 82ed9a13025..b93f93b65fe 100644 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json +++ b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json @@ -42,7 +42,7 @@ "Windows", "Threat Detection", "Initial Access", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -70,7 +70,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002.json b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002.json new file mode 100644 index 00000000000..e7842efbf96 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Masquerading Space After Filename", + "note": "", + "query": "process where host.os.type:(\"linux\",\"macos\") and\n event.type == \"start\" and \n (process.executable regex~ \"\"\"/[a-z0-9\\s_\\-\\\\./]+\\s\"\"\") and not\n process.name in (\"ls\", \"find\", \"grep\", \"xkbcomp\")\n", + "references": [ + "https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.006", + "name": "Space after Filename", + "reference": "https://attack.mitre.org/techniques/T1036/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73.json index 999365084f9..0b3cb440752 100644 --- a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73.json +++ b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73.json @@ -11,7 +11,8 @@ "index": [ "logs-endpoint.events.*", "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -56,7 +57,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -84,7 +86,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92.json index 6d6a128aa78..f78b3099ab9 100644 --- a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92.json +++ b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92.json @@ -8,7 +8,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -46,7 +47,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -74,7 +76,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c.json b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c.json index fa110d20dc9..fff1bb8c1dd 100644 --- a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c.json +++ b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c.json @@ -62,7 +62,7 @@ "Continuous Monitoring", "SecOps", "Monitoring", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -90,7 +90,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 102 + "version": 103 }, "id": "f772ec8a-e182-483c-91d2-72058f76a44c", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0.json index 352979d9758..eaec352922f 100644 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0.json +++ b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", - "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account\nlogon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account\nlogon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", "required_fields": [ { @@ -47,7 +47,7 @@ "Windows", "Threat Detection", "Persistence", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -75,7 +75,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4.json index 77149a86650..6d72467658c 100644 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4.json +++ b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4.json @@ -8,13 +8,14 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Modification of AmsiEnable Registry Key", "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and\nservices to integrate with any antimalware product that's present on a machine. AMSI provides integration with multiple\nWindows components, ranging from User Account Control (UAC) to VBA Macros.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade\ndetections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and\nmonitored by the security team, as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", - "query": "registry where event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", + "query": "registry where event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", "references": [ "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" @@ -46,7 +47,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -74,7 +76,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "f874315d-5188-4b4a-8521-d1c73093a7e4", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588.json b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588.json index 133e1f8e2d6..a97f3da1b07 100644 --- a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588.json +++ b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588.json @@ -18,7 +18,8 @@ "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { @@ -114,7 +115,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "f994964f-6fce-4d75-8e79-e16ccc412588", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f.json index aa99bc94cad..6e841d686df 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f.json +++ b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f.json @@ -14,13 +14,18 @@ "license": "Elastic License v2", "name": "Potential Application Shimming via Sdbinst", "note": "", - "query": "process where event.type == \"start\" and process.name : \"sdbinst.exe\"\n", + "query": "process where event.type == \"start\" and process.name : \"sdbinst.exe\" and \n not (process.args : \"-m\" and process.args : \"-bg\") and \n not process.args : \"-mm\"\n", "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, { "ecs": true, "name": "process.name", @@ -86,7 +91,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf.json index 5ccdb637e2b..2a9d39096ce 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf.json +++ b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf.json @@ -9,7 +9,8 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", @@ -53,7 +54,8 @@ "Host", "Windows", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "Elastic Endgame" ], "threat": [ { @@ -76,7 +78,7 @@ "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", - "version": 100 + "version": 101 }, "id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2.json index 6029a79f479..4cfdbc87b61 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2.json +++ b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2.json @@ -8,12 +8,13 @@ "index": [ "winlogbeat-*", "logs-endpoint.events.*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Svchost spawning Cmd", - "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows\nNT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be\nused by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual\nbehavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege\nescalation.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows\nNT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be\nused by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual\nbehavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege\nescalation.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,\nand any spawned child processes.\n- Examine the host for derived artifacts that indicates suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by\n filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT * FROM dns_cache\", \"label\":\"Osquery - Retrieve DNS Cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related\n processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\",\"label\":\"Osquery - Retrieve All Services\"}}\n - !{osquery{\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)\",\"label\":\"Osquery - Retrieve Services Running on User Accounts\"}}\n - !{osquery{\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"\",\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and\n reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\n\n process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and\n\n not process.args :\n (\"??:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat?\",\n \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat\",\n \"\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\silcollector.cmd\",\n \"\\\\system32\\\\AppHostRegistrationVerifier.exe\",\n \"\\\\system32\\\\ServerManagerLauncher.exe\",\n \"dir\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\LSDeployment\\\\Lspush.exe\",\n \"(x86)\\\\FMAuditOnsite\\\\watchdog.bat\",\n \"?:\\\\ProgramData\\\\chocolatey\\\\bin\\\\choco-upgrade-all.bat\",\n \"Files\\\\Npcap\\\\CheckStatus.bat\") and\n\n /* very noisy pattern - bat or cmd script executed via scheduled tasks */\n not (process.parent.args : \"netsvcs\" and process.args : (\"?:\\\\*.bat\", \"?:\\\\*.cmd\"))\n", "references": [ "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747" @@ -55,7 +56,8 @@ "Windows", "Threat Detection", "Execution", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -78,7 +80,7 @@ "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3.json index f8eb0e46455..2ad16878679 100644 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3.json +++ b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3.json @@ -55,7 +55,7 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide" ], "threat": [ { @@ -76,7 +76,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3.json b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3.json index 28977a8cba0..7d4d44eb171 100644 --- a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3.json +++ b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3.json @@ -7,13 +7,14 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-windows.*" + "logs-windows.*", + "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "MS Office Macro Security Registry Modifications", "note": "## Triage and analysis\n\n### Investigating MS Office Macro Security Registry Modifications\n\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications.\nHistorically, macros have been used for a variety of reasons -- from automating part of a job, to\nbuilding entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as\npart of Microsoft Office files.\n\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a\nsystem, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros\nis one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or\nspear phishing campaigns.\n\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and\nno warnings are displayed when they are executed. These settings include:\n\n* *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code\nwithout showing a security warning or requiring user permission.\n* *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security\nwarning or requiring user permission.\n\nThis rule looks for registry changes affecting the conditions above.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user and check if the change was done manually.\n- Verify whether malicious macros were executed after the registry change.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently executed Office documents and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true\npositives (B-TPs), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the registry key value.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Explore using GPOs to manage security settings for Microsoft Office macros.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", - "query": "registry where event.type == \"change\" and\n registry.path : (\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\"\n ) and\n registry.data.strings == \"0x00000001\" and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"mshta.exe\", \"winword.exe\", \"excel.exe\")\n", + "query": "registry where event.type == \"change\" and\n registry.path : (\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\"\n ) and\n registry.data.strings : (\"0x00000001\", \"1\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"mshta.exe\", \"winword.exe\", \"excel.exe\")\n", "required_fields": [ { "ecs": true, @@ -46,7 +47,8 @@ "Windows", "Threat Detection", "Defense Evasion", - "has_guide" + "Investigation Guide", + "Elastic Endgame" ], "threat": [ { @@ -89,7 +91,7 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 101 + "version": 102 }, "id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", "type": "security-rule" diff --git a/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json b/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json index 23ffe99f97c..3bce977e5b8 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json +++ b/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json @@ -24,7 +24,7 @@ { "integration": "audit", "package": "gcp", - "version": "^2.2.1" + "version": "^2.0.0" } ], "required_fields": [ @@ -70,7 +70,7 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 101 + "version": 102 }, "id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1", "type": "security-rule" diff --git a/packages/security_detection_engine/manifest.yml b/packages/security_detection_engine/manifest.yml index 96a8fd77f25..5234c37a3b4 100644 --- a/packages/security_detection_engine/manifest.yml +++ b/packages/security_detection_engine/manifest.yml @@ -1,7 +1,7 @@ categories: - security conditions: - kibana.version: ^8.3.0 + kibana.version: ^8.4.0 description: Prebuilt detection rules for Elastic Security format_version: 1.0.0 icons: @@ -15,4 +15,4 @@ owner: release: ga title: Prebuilt Security Detection Rules type: integration -version: 8.3.2 +version: 8.4.1